CVE-2026-2256

MEDIUM

ModelScope ms-agent <v1.6.0rc1 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2256. PoCs published by Itamar-Yochpaz.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-2256, demonstrating a command injection vulnerability in the MS-Agent framework's Shell tool. The PoC bypasses the `check_safe()` function to execute arbitrary commands, including establishing a reverse shell.

Description

A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input.

Exploits (1)

github WORKING POC 1 stars
by Itamar-Yochpaz · pythonpoc
https://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC

This repository contains a functional proof-of-concept exploit for CVE-2026-2256, demonstrating a command injection vulnerability in the MS-Agent framework's Shell tool. The PoC bypasses the `check_safe()` function to execute arbitrary commands, including establishing a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ModelScope MS-Agent version 1.5.2
No auth needed
Prerequisites: Python 3 · netcat (nc) · MS-Agent framework version 1.5.2
devstral-2 · analyzed May 17, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 6.5
EPSS 0.0076
EPSS Percentile 73.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-77
Status published
Products (1)
pypi/ms-agent 0PyPI
Published Mar 02, 2026
Tracked Since Mar 03, 2026