cbcvebase.
CVE-2026-39981
published 2026-04-09

CVE-2026-39981: AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities extension fails to validate that resolved…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.32%
67.2th percentile
AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance. This vulnerability is fixed in 1.9.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
agixtagixt< 1.9.21.9.2
josh-xtagixt< 1.9.21.9.2
josh-xtagixt>= 0 < 1.9.21.9.2

Detection & IOCsextracted from sources · hover to see the quote

  • Look for directory traversal sequences (e.g., '../') in file path arguments passed to the safe_join() function within the AGiXT essential_abilities extension, which fails to validate that resolved paths remain within the agent workspace.
  • ·Exploitation requires authentication; unauthenticated attackers cannot directly exploit this directory traversal vulnerability.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.