CVE-2026-39981HIGH 8.8EPSS p67.1%

CVE-2026-39981CVE-2026-39981

Description

AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance. This vulnerability is fixed in 1.9.2.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.32% probability of exploitation · percentile 67.1% · 2026-06-18T12:00:27Z
Published2026-04-09
Last modified2026-05-13

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/Josh-XT/AGiXT/commit/2079ea5a88fa671a921bf0b5eba887a5a1b73d5f
  2. https://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2
  3. https://github.com/Josh-XT/AGiXT/security/advisories/GHSA-5gfj-64gh-mgmw

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25161
CVE
CVE-2026-39891
CVE
CVE-2026-22661
CVE
Apache APISIX Authentication Bypass Vulnerability
CVE
CVE-2026-34954
CVE
CVE-2026-41863
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.