Agents
CVE-2026-25592: Semantic Kernel Perfect CVSS 10.0 — Prompt Injection Achieves RCE via Agent Function Calling
Microsoft's Semantic Kernel .NET SDK contained a path traversal vulnerability (CVE-2026-25592, CVSS 10.0) in SessionsPythonPlugin where DownloadFileAsync was accidentally tagged [KernelFunction] and exposed to the LLM with no path validation. An attacker could prompt-inject an agent to read arbitrary host files (exfiltration) or write to arbitrary locations (RCE). Combined with CVE-2026-26030, this represents a complete prompt injection → sandbox escape → remote code execution chain. Patched in Semantic Kernel 1.71.0 (.NET) and 1.39.4 (Python).
Source
↳ Follow the thread