Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by agent0ai
CVE-2026-4308 (GCVE-0-2026-4308)
Vulnerability from cvelistv5 – Published: 2026-03-17 04:02 – Updated: 2026-03-17 13:22
VLAI
Title
frdel/agent0ai agent-zero document_query.py handle_pdf_document server-side request forgery
Summary
A weakness has been identified in frdel/agent0ai agent-zero 0.9.7. This affects the function handle_pdf_document of the file python/helpers/document_query.py. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351338 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351338 | signaturepermissions-required |
| https://vuldb.com/?submit.773950 | third-party-advisory |
| https://gist.github.com/YLChen-007/c99c44aa019266… | related |
| https://gist.github.com/YLChen-007/c99c44aa019266… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| frdel | agent-zero |
Affected:
0.9.7
cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:* |
|
| agent0ai | agent-zero |
Affected:
0.9.7
cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:22:49.428663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:22:56.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:*"
],
"product": "agent-zero",
"vendor": "frdel",
"versions": [
{
"status": "affected",
"version": "0.9.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:*"
],
"product": "agent-zero",
"vendor": "agent0ai",
"versions": [
{
"status": "affected",
"version": "0.9.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-y (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in frdel/agent0ai agent-zero 0.9.7. This affects the function handle_pdf_document of the file python/helpers/document_query.py. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T04:02:07.980Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351338 | frdel/agent0ai agent-zero document_query.py handle_pdf_document server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351338"
},
{
"name": "VDB-351338 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351338"
},
{
"name": "Submit #773950 | agent0ai agent-zero 0.9.7 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.773950"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989#poc"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-16T22:37:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "frdel/agent0ai agent-zero document_query.py handle_pdf_document server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4308",
"datePublished": "2026-03-17T04:02:07.980Z",
"dateReserved": "2026-03-16T21:31:55.971Z",
"dateUpdated": "2026-03-17T13:22:56.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4307 (GCVE-0-2026-4307)
Vulnerability from cvelistv5 – Published: 2026-03-17 03:32 – Updated: 2026-03-17 13:25
VLAI
Title
frdel/agent0ai agent-zero files.py get_abs_path path traversal
Summary
A security flaw has been discovered in frdel/agent0ai agent-zero 0.9.7-10. The impacted element is the function get_abs_path of the file python/helpers/files.py. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351337 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351337 | signaturepermissions-required |
| https://vuldb.com/?submit.771967 | third-party-advisory |
| https://gist.github.com/YLChen-007/1819c843ad26aa… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| frdel | agent-zero |
Affected:
0.9.7-10
cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:* |
|
| agent0ai | agent-zero |
Affected:
0.9.7-10
cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4307",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:25:40.314752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:25:49.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:*"
],
"product": "agent-zero",
"vendor": "frdel",
"versions": [
{
"status": "affected",
"version": "0.9.7-10"
}
]
},
{
"cpes": [
"cpe:2.3:a:agent-zero:agent-zero:*:*:*:*:*:*:*:*"
],
"product": "agent-zero",
"vendor": "agent0ai",
"versions": [
{
"status": "affected",
"version": "0.9.7-10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-y (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in frdel/agent0ai agent-zero 0.9.7-10. The impacted element is the function get_abs_path of the file python/helpers/files.py. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T03:32:07.609Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351337 | frdel/agent0ai agent-zero files.py get_abs_path path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351337"
},
{
"name": "VDB-351337 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351337"
},
{
"name": "Submit #771967 | frdel agent-zero 0.9.7-10 Path Traversal (CWE-22)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.771967"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/1819c843ad26aaaaecdc768a789df022"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-16T22:37:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "frdel/agent0ai agent-zero files.py get_abs_path path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4307",
"datePublished": "2026-03-17T03:32:07.609Z",
"dateReserved": "2026-03-16T21:31:48.889Z",
"dateUpdated": "2026-03-17T13:25:49.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}