CVE-2026-42079

Published: Mag 04, 2026 Last Modified: Mag 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,6

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a.

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control Integrity Availability Other Non-Repudiation

Potential Impacts:

Read Files Or Directories Read Application Data Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted, Java, JavaScript, Perl, PHP, Python, Ruby

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9…

https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35c…

https://github.com/icip-cas/PPTAgent/security/advisories/GH…

https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p

CVE-2026-42079

Description

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter