cbcvebase.
CVE-2026-25130
published 2026-01-30

CVE-2026-25130: Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument…

PriorityP268critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
0.80%
52.0th percentile
Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.

Affected

1 ranges
VendorProductVersion rangeFixed in
aliasroboticscai<= 0.5.10

Detection & IOCsextracted from sources · hover to see the quote

versioncai-framework 0.5.10
hashe22a1220f764e2d7cf9da6d6144926f53ca01cde
  • Flag calls to subprocess.Popen() with shell=True where user-controlled input is passed directly as arguments — the primary sink for this injection vulnerability.
  • Monitor invocations of the find_file() tool with arguments containing shell metacharacters or -exec flags, as this tool bypasses human-in-the-loop approval and executes without user confirmation.
  • ·The vulnerability is fully patched at commit e22a1220f764e2d7cf9da6d6144926f53ca01cde; deployments running cai-framework versions up to and including 0.5.10 remain vulnerable and should be upgraded immediately.
  • ·The find_file() tool is pre-approved as 'safe' within the CAI framework's human-in-the-loop mechanism, meaning exploitation via argument injection into this tool requires no user interaction or approval, elevating the effective exploitability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.