CVE-2026-25592
published 2026-02-06CVE-2026-25592: Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has…
PriorityP266critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.95%
77.7th percentile
Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | semantic-kernel | < 1.71.0 | 1.71.0 |
| microsoft | semantic-kernel | >= 0 < 1.39.3 | 1.39.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor calls to DownloadFileAsync and UploadFileAsync in the Semantic Kernel SessionsPythonPlugin for suspicious or unexpected localFilePath arguments that traverse outside expected directories (e.g., path traversal sequences) ↗
- →Flag usage of Microsoft.SemanticKernel.Core versions prior to 1.71.0 (NuGet) and semantic-kernel pip package versions prior to the Feb 08 2026 fix as vulnerable to arbitrary file write via SessionsPythonPlugin ↗
- ·The vulnerability is specifically within the SessionsPythonPlugin component of the Semantic Kernel .NET SDK; only deployments using this plugin are affected ↗
- ·Both the NuGet package (Microsoft.SemanticKernel.Core) and the pip package (semantic-kernel) are affected; fixes were added to both on Feb 08, 2026 ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
ghsa·2026-02-06
CVE-2026-25592 [CRITICAL] CWE-22 Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
### Impact
_What kind of vulnerability is it? Who is impacted?_
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the `SessionsPythonPlugin`.
Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the `SessionsPythonPlugin`
### Patches
_Has the problem been patched? What versions should users upgrade to?_
The problem has been fixed in [Microsoft.SemanticKernel.Plugins.Core version 1.71.0](https://www.nuget.org/packages/Microsoft.SemanticKernel.Plugins.Core/1.71.0). Users should upgrade to version 1.71.0 or higher.
### Workarounds
_Is there a way for users to fix or remediate the vulnerabil
OSV
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
osv·2026-02-06
CVE-2026-25592 [CRITICAL] Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
### Impact
_What kind of vulnerability is it? Who is impacted?_
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the `SessionsPythonPlugin`.
Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the `SessionsPythonPlugin`
### Patches
_Has the problem been patched? What versions should users upgrade to?_
The problem has been fixed in [Microsoft.SemanticKernel.Plugins.Core version 1.71.0](https://www.nuget.org/packages/Microsoft.SemanticKernel.Plugins.Core/1.71.0). Users should upgrade to version 1.71.0 or higher.
### Workarounds
_Is there a way for users to fix or remediate the vulnerabil
No detection rules found.
No public exploits indexed.
Hackernews
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
blogs_hackernews·2026-06-19
CVE-2026-26030 AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Microsoft researchers have detailed an exploit chain, named AutoJack , that turns an AI browsing agent into a delivery vehicle for remote code execution.
Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a process on the host.
No credentials, no sign-in screen, and no further user interaction once the agent loads the page. The attacker only has to get the agent to open it, and a planted link, a URL field, or a prompt injection will do.
The flaw sits in AutoGen
Hackernews
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
blogs_hackernews·2026-05-29
CVE-2026-25592 ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks.
The technique has been codenamed ChatGPhish by Permiso Security.
"The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third-party page the assistant has just summarized. It auto-fetches those images and surfaces those links as live, clickable el
Wiz
CVE-2026-25592 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-25592 [CRITICAL] CVE-2026-25592 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25592 :
Semantic Kernel vulnerability analysis and mitigation
Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
Source : NVD
## 9.9
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Semantic Kernel
Has Public Exploit No
Has CISA KEV Expl
Wiz
CVE-2026-26030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-26030 [CRITICAL] CVE-2026-26030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26030 :
Semantic Kernel vulnerability analysis and mitigation
InMemoryVectorStore
python-1.39.4
InMemoryVectorStore
Source : NVD
## 9.9
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Semantic Kernel
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
semantic-kernel
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Semantic Kernel vulnerabilities:
CVE ID
Severity
Score
Technologies
Com
https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943dhttps://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
2026-02-06
Published