CVE-2026-58449P2CRITICALCVSS 9.8≤ 9.10.02026-06-30
CVE-2026-58449 [CRITICAL] CWE-94 CVE-2026-58449: txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body
txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthentic
nvd