CVE-2026-5532
MEDIUMScrapeGraphAI scrapegraph-ai GenerateCodeNode generate_code_node.py create_sandbox_and_execute os command injection
Title source: cnaDescription
A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function create_sandbox_and_execute of the file scrapegraphai/nodes/generate_code_node.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
References (4)
Core 4
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-355285 | ScrapeGraphAI scrapegraph-ai GenerateCodeNode generate_code_node.py create_sandbox_and_execute os command injection
https://vuldb.com/vuln/355285
Signature, Permissions Required signature
permissions-required
VDB-355285 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/355285/cti
Third Party Advisory third-party-advisory
Submit #782169 | ScrapeGraphAI scrapegraph-ai 1.74.0 Remote Code Execution (RCE)
https://vuldb.com/submit/782169
Exploit exploit
issue-tracking
https://github.com/August829/CVEP/issues/19
Scores
CVSS v3
6.3
EPSS
0.0145
EPSS Percentile
69.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (50)
ScrapeGraphAI/scrapegraph-ai
1.0
ScrapeGraphAI/scrapegraph-ai
1.1
ScrapeGraphAI/scrapegraph-ai
1.10
ScrapeGraphAI/scrapegraph-ai
1.11
ScrapeGraphAI/scrapegraph-ai
1.12
ScrapeGraphAI/scrapegraph-ai
1.13
ScrapeGraphAI/scrapegraph-ai
1.14
ScrapeGraphAI/scrapegraph-ai
1.15
ScrapeGraphAI/scrapegraph-ai
1.16
ScrapeGraphAI/scrapegraph-ai
1.17
... and 40 more
Published
Apr 05, 2026
Tracked Since
Apr 05, 2026