Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.
| Źródło | Link | Uwagi |
|---|---|---|
| NVD (NIST) | https://nvd.nist.gov/vuln/detail/CVE-2026-26030 | Karta CVE w NVD |
| CISA KEV | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-26030 | Wyszukiwanie CVE w KEV |
| FIRST EPSS | https://api.first.org/data/v1/epss?cve=CVE-2026-26030 | API EPSS dla CVE |
| security-advisories@github.com | https://github.com/microsoft/semantic-kernel/pull/13505 | Issue Tracking, Patch |
| security-advisories@github.com | https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4 | Release Notes |
| security-advisories@github.com | https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx | Patch, Vendor Advisory |