CVE-2026-5532

Summary

A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function create_sandbox_and_execute of the file scrapegraphai/nodes/generate_code_node.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
ScrapeGraphAIscrapegraph-ai1.0affected
ScrapeGraphAIscrapegraph-ai1.1affected
ScrapeGraphAIscrapegraph-ai1.2affected
ScrapeGraphAIscrapegraph-ai1.3affected
ScrapeGraphAIscrapegraph-ai1.4affected
ScrapeGraphAIscrapegraph-ai1.5affected
ScrapeGraphAIscrapegraph-ai1.6affected
ScrapeGraphAIscrapegraph-ai1.7affected
ScrapeGraphAIscrapegraph-ai1.8affected
ScrapeGraphAIscrapegraph-ai1.9affected
ScrapeGraphAIscrapegraph-ai1.10affected
ScrapeGraphAIscrapegraph-ai1.11affected
ScrapeGraphAIscrapegraph-ai1.12affected
ScrapeGraphAIscrapegraph-ai1.13affected
ScrapeGraphAIscrapegraph-ai1.14affected
ScrapeGraphAIscrapegraph-ai1.15affected
ScrapeGraphAIscrapegraph-ai1.16affected
ScrapeGraphAIscrapegraph-ai1.17affected
ScrapeGraphAIscrapegraph-ai1.18affected
ScrapeGraphAIscrapegraph-ai1.19affected
ScrapeGraphAIscrapegraph-ai1.20affected
ScrapeGraphAIscrapegraph-ai1.21affected
ScrapeGraphAIscrapegraph-ai1.22affected
ScrapeGraphAIscrapegraph-ai1.23affected
ScrapeGraphAIscrapegraph-ai1.24affected
ScrapeGraphAIscrapegraph-ai1.25affected
ScrapeGraphAIscrapegraph-ai1.26affected
ScrapeGraphAIscrapegraph-ai1.27affected
ScrapeGraphAIscrapegraph-ai1.28affected
ScrapeGraphAIscrapegraph-ai1.29affected
ScrapeGraphAIscrapegraph-ai1.30affected
ScrapeGraphAIscrapegraph-ai1.31affected
ScrapeGraphAIscrapegraph-ai1.32affected
ScrapeGraphAIscrapegraph-ai1.33affected
ScrapeGraphAIscrapegraph-ai1.34affected
ScrapeGraphAIscrapegraph-ai1.35affected
ScrapeGraphAIscrapegraph-ai1.36affected
ScrapeGraphAIscrapegraph-ai1.37affected
ScrapeGraphAIscrapegraph-ai1.38affected
ScrapeGraphAIscrapegraph-ai1.39affected
ScrapeGraphAIscrapegraph-ai1.40affected
ScrapeGraphAIscrapegraph-ai1.41affected
ScrapeGraphAIscrapegraph-ai1.42affected
ScrapeGraphAIscrapegraph-ai1.43affected
ScrapeGraphAIscrapegraph-ai1.44affected
ScrapeGraphAIscrapegraph-ai1.45affected
ScrapeGraphAIscrapegraph-ai1.46affected
ScrapeGraphAIscrapegraph-ai1.47affected
ScrapeGraphAIscrapegraph-ai1.48affected
ScrapeGraphAIscrapegraph-ai1.49affected
ScrapeGraphAIscrapegraph-ai1.50affected
ScrapeGraphAIscrapegraph-ai1.51affected
ScrapeGraphAIscrapegraph-ai1.52affected
ScrapeGraphAIscrapegraph-ai1.53affected
ScrapeGraphAIscrapegraph-ai1.54affected
ScrapeGraphAIscrapegraph-ai1.55affected
ScrapeGraphAIscrapegraph-ai1.56affected
ScrapeGraphAIscrapegraph-ai1.57affected
ScrapeGraphAIscrapegraph-ai1.58affected
ScrapeGraphAIscrapegraph-ai1.59affected
ScrapeGraphAIscrapegraph-ai1.60affected
ScrapeGraphAIscrapegraph-ai1.61affected
ScrapeGraphAIscrapegraph-ai1.62affected
ScrapeGraphAIscrapegraph-ai1.63affected
ScrapeGraphAIscrapegraph-ai1.64affected
ScrapeGraphAIscrapegraph-ai1.65affected
ScrapeGraphAIscrapegraph-ai1.66affected
ScrapeGraphAIscrapegraph-ai1.67affected
ScrapeGraphAIscrapegraph-ai1.68affected
ScrapeGraphAIscrapegraph-ai1.69affected
ScrapeGraphAIscrapegraph-ai1.70affected
ScrapeGraphAIscrapegraph-ai1.71affected
ScrapeGraphAIscrapegraph-ai1.72affected
ScrapeGraphAIscrapegraph-ai1.73affected
ScrapeGraphAIscrapegraph-ai1.74.0affected

Weaknesses

  • CWE-78: OS Command Injection
  • CWE-77: Command Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References