{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/agentscope/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["code-injection","remote-code-execution","agentscope"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical code injection vulnerability, identified as CVE-2026-6603, affects modelscope agentscope versions up to 1.0.18. The vulnerability resides within the \u003ccode\u003eexecute_python_code\u003c/code\u003e and \u003ccode\u003eexecute_shell_command\u003c/code\u003e functions in the \u003ccode\u003esrc/AgentScope/tool/_coding/_python.py\u003c/code\u003e file. This flaw allows an attacker to inject arbitrary code, leading to potential remote code execution on the affected system. A public exploit is available, increasing the risk of widespread exploitation. The vendor was contacted but has not responded to the disclosure. This vulnerability poses a significant threat to systems running vulnerable versions of agentscope, potentially leading to compromise and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of modelscope agentscope running a version up to 1.0.18.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eexecute_python_code\u003c/code\u003e or \u003ccode\u003eexecute_shell_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects arbitrary code into the vulnerable function\u0026rsquo;s input.\u003c/li\u003e\n\u003cli\u003eThe application processes the injected code without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed by the system, potentially allowing the attacker to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to gain further access to the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware, establishes persistence, or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6603 can result in arbitrary code execution on the affected system. This can lead to complete system compromise, data breaches, and unauthorized access to sensitive information. While the exact number of victims is currently unknown, the availability of a public exploit makes widespread exploitation highly probable. Organizations using modelscope agentscope are at risk and should take immediate action to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade modelscope agentscope to a patched version beyond 1.0.18 to remediate the vulnerability (CVE-2026-6603).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious process execution originating from the agentscope application server.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests targeting the \u003ccode\u003eexecute_python_code\u003c/code\u003e or \u003ccode\u003eexecute_shell_command\u003c/code\u003e endpoints (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T05:16:15Z","date_published":"2026-04-20T05:16:15Z","id":"/briefs/2026-04-agentscope-code-injection/","summary":"A code injection vulnerability exists in modelscope agentscope up to version 1.0.18, specifically affecting the execute_python_code/execute_shell_command functions, allowing for remote code execution.","title":"Modelscope Agentscope Code Injection Vulnerability (CVE-2026-6603)","url":"https://feed.craftedsignal.io/briefs/2026-04-agentscope-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Agentscope","version":"https://jsonfeed.org/version/1.1"}