CVE-2026-2256

MEDIUM

ModelScope ms-agent <v1.6.0rc1 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-2256. PoCs published by Itamar-Yochpaz, mruniversity, melbratic.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-2256, demonstrating a command injection vulnerability in the MS-Agent framework's Shell tool. The PoC bypasses the `check_safe()` function to execute arbitrary commands, including establishing a reverse shell.

Description

A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input.

Exploits (3)

github WORKING POC 1 stars
by Itamar-Yochpaz · pythonpoc
https://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC

This repository contains a functional proof-of-concept exploit for CVE-2026-2256, demonstrating a command injection vulnerability in the MS-Agent framework's Shell tool. The PoC bypasses the `check_safe()` function to execute arbitrary commands, including establishing a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ModelScope MS-Agent version 1.5.2
No auth needed
Prerequisites: Python 3 · netcat (nc) · MS-Agent framework version 1.5.2
mistral-large-3 · analyzed May 17, 2026 Full analysis →
github WRITEUP
by mruniversity · poc
https://github.com/mruniversity/CVE-2026-2256-

This repository contains a detailed threat model (ThreatDragon JSON) and README for CVE-2026-2256, which involves arbitrary command execution in ModelScope ms-agent due to bypassing the check_safe() validation function. The threat model outlines the attack chain, trust boundaries, and potential threats, but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: ModelScope ms-agent
No auth needed
Prerequisites: Attacker-controlled content source (e.g., poisoned document, webpage, log file, or code repo)
mistral-large-3 · analyzed Jun 04, 2026 Full analysis →
github WRITEUP
by melbratic · poc
https://github.com/melbratic/CVE-2026-2256-Threat-Model----ms-agent-Command-Injection

This repository contains a threat model analysis for CVE-2026-2256, detailing how attacker-controlled input bypasses the check_safe() validation function in ModelScope ms-agent, leading to arbitrary command execution. The threat model is structured using STRIDE methodology and includes a diagram of the attack chain.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: ModelScope ms-agent
No auth needed
Prerequisites: Attacker-controlled input via prompt interface or external content processed by the agent
mistral-large-3 · analyzed Jun 04, 2026 Full analysis →

Scores

CVSS v3 6.5
EPSS 0.0161
EPSS Percentile 73.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-77
Status published
Products (1)
pypi/ms-agent 0PyPI
Published Mar 02, 2026
Tracked Since Mar 03, 2026