Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-msgd-aq9b-6fcx

Summary

Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
_What kind of vulnerability is it? Who is impacted?_
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the `SessionsPythonPlugin`.
Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the `SessionsPythonPlugin`

Aliases

alias	CVE-2026-25592

alias	GHSA-2ww3-72rp-wpp4

Fixed_packages

url	pkg:nuget/Microsoft.SemanticKernel.Core@1.71.0
purl	pkg:nuget/Microsoft.SemanticKernel.Core@1.71.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/Microsoft.SemanticKernel.Core@1.71.0

url pkg:pypi/semantic-kernel@1.39.3

purl pkg:pypi/semantic-kernel@1.39.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-yt8v-22tc-hyep

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/semantic-kernel@1.39.3

Affected_packages

References

reference_url	https://github.com/microsoft/semantic-kernel
reference_id
reference_type
scores
url	https://github.com/microsoft/semantic-kernel

reference_url	https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64
reference_id
reference_type
scores
url	https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64

reference_url	https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d
reference_id
reference_type
scores
url	https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2026-25592
reference_id	CVE-2026-25592
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2026-25592

reference_url	https://github.com/advisories/GHSA-2ww3-72rp-wpp4
reference_id	GHSA-2ww3-72rp-wpp4
reference_type
scores
url	https://github.com/advisories/GHSA-2ww3-72rp-wpp4

reference_url	https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
reference_id	GHSA-2ww3-72rp-wpp4
reference_type
scores
url	https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4

Weaknesses

cwe_id	22
name	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
description	The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msgd-aq9b-6fcx

Vulnerability Instance