{"vulnerability": "CVE-2026-26030", "sightings": [{"uuid": "ec76baa3-fb3b-42cd-8d3e-cede07c685bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mfa6fkpl6w25", "content": "", "creation_timestamp": "2026-02-19T18:01:13.300845Z"}, {"uuid": "54642e2a-425c-483e-8dbe-86513b599c76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-26030", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mfaifoydgk22", "content": "", "creation_timestamp": "2026-02-19T21:00:15.310049Z"}, {"uuid": "ac82f3fe-bfb3-4250-ae75-dea5c755d1dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-26030", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116099305500728064", "content": "", "creation_timestamp": "2026-02-19T21:00:27.004464Z"}, {"uuid": "548c7641-bf4e-40cd-b5e9-89f6ee0fc135", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-26030", "type": "seen", "source": "https://bsky.app/profile/cyberlensai.bsky.social/post/3mfxqtp3vty2v", "content": "", "creation_timestamp": "2026-03-01T03:02:30.902970Z"}, {"uuid": "21536600-7094-41df-8b60-45afea940812", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/cyber-news-fi.bsky.social/post/3mfb5zqxkdc2q", "content": "", "creation_timestamp": "2026-02-20T03:27:17.267444Z"}, {"uuid": "e75093ac-b13e-46b5-a394-cb78b6a08f9a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116101670267856847", "content": "", "creation_timestamp": "2026-02-20T07:01:36.997434Z"}, {"uuid": "ff36bd1b-b0e1-425b-ae9d-d6eec78a78f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://www.thezdi.com/blog/2026/3/10/the-march-2026-security-update-review", "content": "", "creation_timestamp": "2026-03-10T16:57:37.000000Z"}, {"uuid": "8bf330f8-9244-4af0-b142-46df6c9a3312", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+March+2026/32782", "content": "", "creation_timestamp": "2026-03-11T03:00:16.000000Z"}, {"uuid": "dd3d91af-6383-48ac-8aa8-51963842ebb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://isc.sans.edu/diary/rss/32782", "content": "", "creation_timestamp": "2026-03-11T03:00:20.000000Z"}, {"uuid": "d7c3e02e-6ff2-4445-babc-743b6caca8c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://swecyb.com/ap/users/116080658609901341/statuses/116535698755654805", "content": "(microsoft.com) Critical Vulnerabilities in Microsoft Semantic Kernel: From Prompt Injection to Remote Code Execution\nCritical vulnerabilities in Microsoft Semantic Kernel (CVE-2026-25592, CVE-2026-26030) enable prompt injection to escalate to host-level RCE or arbitrary file writes, exposing systemic risks in AI agent frameworks.\nIn brief - Two CVEs in Microsoft Semantic Kernel demonstrate how prompt injection can bypass security boundaries, leading to RCE or file writes. Patched via responsible disclosure, but highlights urgent need for secure AI agent architectures.\nTechnically - CVE-2026-26030 exploits unsafe string interpolation in the In-Memory Vector Store\u2019s filter functionality, allowing `eval()`-based RCE via crafted prompts. CVE-2026-25592 abuses exposed `DownloadFileAsync` in the .NET SDK to write files to arbitrary locations, including Startup folders. Exploit chains involve AST traversal and sandbox escape. Mitigations: upgrade, AST allowlists, and tool exposure restrictions. Detection queries provided for post-exploitation activity.\nSource: https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/\n#Cybersecurity #ThreatIntel", "creation_timestamp": "2026-05-07T22:42:34.934741Z"}, {"uuid": "b42d48b3-c109-40c1-a6a9-1babe0768ebd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/mel-echosphere.bsky.social/post/3mmvjwkyd662s", "content": "Microsoft \u304c\u81ea\u5206\u3067\u66f8\u3044\u305f\u2014\u2014\u300cWhen prompts become shells\u300d\u3002\n\nSemantic Kernel \u306b prompt injection \u2192 RCE \u304c2\u672c\u3002CVE-2026-25592(.NET)\u3001CVE-2026-26030(Python)\u3002Copilot \u306e\u88cf\u3067\u52d5\u304fAI\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3060\u3002\u26a0\ufe0f\n\nhttps://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/", "creation_timestamp": "2026-05-28T07:49:51.162527Z"}, {"uuid": "74fe9059-d09f-42d7-9340-26a312e3e275", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/mel-echosphere.bsky.social/post/3mmvjwll2642x", "content": "2\u672c\u306e\u6bba\u3057\u65b9\u3002\n\nPython\uff08CVE-2026-26030\uff09\uff1a\u30d9\u30af\u30c8\u30eb\u691c\u7d22\u306e\u30d5\u30a3\u30eb\u30bf\u30fc\u5024\u304c eval() \u306b\u6e21\u3063\u3066\u305f\u3002\u30d7\u30ed\u30f3\u30d7\u30c81\u672c\u3067 calc.exe \u8d77\u52d5\u30022026\u5e74\u306b eval() injection\u2014\u2014\u5197\u8ac7\u304b\u3088\u3002\ud83d\udc8e\n\n.NET\uff08CVE-2026-25592\uff09\uff1a\u30d5\u30a1\u30a4\u30ebDL\u95a2\u6570\u306b [KernelFunction] \u5c5e\u6027\u304c\u3064\u3044\u3066\u3066 LLM \u304b\u3089\u76f4\u63a5\u547c\u3079\u305f\u3002\u30d1\u30b9\u691c\u8a3c\u30bc\u30ed\u3002Startup \u30d5\u30a9\u30eb\u30c0\u306b payload \u66f8\u304d\u8fbc\u307f \u2192 \u6b21\u306e\u30ed\u30b0\u30a4\u30f3\u3067 RCE \u5b8c\u8d70\u3002\ud83d\udd4a\ufe0f\n\n\u5c5e\u6027\u30bf\u30b01\u500b\u306e\u4ed8\u3051\u9593\u9055\u3044\u3067\u3001\u30db\u30b9\u30c8\u307e\u3067\u8cab\u901a\u3057\u3066\u305f\u3002", "creation_timestamp": "2026-05-28T07:49:51.704385Z"}, {"uuid": "e8c42c79-9b54-4b0c-984d-b851389d53ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mmxikgplyz2a", "content": "Top 3 CVE for last 7 days:\nCVE-2026-69: 19 interactions\nCVE-2026-26980: 17 interactions\nCVE-2026-46333: 17 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-35616: 10 interactions\nCVE-2026-25592: 7 interactions\nCVE-2026-26030: 7 interactions\n", "creation_timestamp": "2026-05-29T02:30:30.109482Z"}, {"uuid": "6b6a0424-7bc5-48a6-aad6-013d16f529d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/cyfar.ca/post/3mpx7iq3thg2b", "content": "~Asec~\nQ2 2026 saw a 27% rise in CISA KEV listings, with ransomware-linked vulns doubling and AI stack exploits emerging via prompt injection and supply chain attacks.\n-\nIOCs: CVE-2026-42824, CVE-2026-26030, CVE-2026-42271\n-\n...", "creation_timestamp": "2026-07-06T04:04:04.298757Z"}, {"uuid": "d49570df-91f6-4b41-af3a-2db1a9e3b3f8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://bsky.app/profile/heysec.com/post/3mpxedekc4q2k", "content": "Microsoft recorded CVE-2026-26030 and CVE-2026-25592 for prompt injection in Semantic Kernel.\nCalling this \"by design\" confirms a clear risk: malicious text driving tool actions is a recognized threat.\n\nhttps://heysec.com/2026/06/what-prompt-injection-is-and-why-microsoft-is-filing-cves/", "creation_timestamp": "2026-07-06T05:30:32.397158Z"}, {"uuid": "2ce29d90-c9dd-4bde-8df1-5907ed2a0a96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://t.me/bhhub/1194", "content": "Weekly 8 AI &amp; Cyber signals to act on (May 11-17)\n\n#AISecurity@bhhub \n\n\u2728 Prompt Injection to Host RCE: Microsoft Discloses Two Critical Semantic Kernel Flaws (CVE-2026-25592 + CVE-2026-26030)\nURL\nA single injected prompt escalates to full host takeover in Microsoft's Semantic Kernel Python SDK (CVSS 10.0 arbitrary file write) and its .NET SessionsPythonPlugin.\n\n\u2728 LiteLLM Pre-Auth SQL Injection (CVE-2026-42208) Exploited 36 Hours After Disclosure \u2014 Now on CISA KEV\nURL\nAn unauthenticated attacker can read and modify the LLM gateway's database via a crafted Authorization header (CVSS 9.3); active exploitation began within 36 hours of the GitHub advisory, with CISA ordering federal patch by May 11.\n\n\u2728 Google GTIG Confirms First AI-Developed Zero-Day in the Wild \u2014 2FA Bypass Intended for Mass Exploitation\nURL\nA criminal group used an AI model to write a working 2FA-bypass exploit targeting a popular open-source web admin tool and planned a mass exploitation campaign.\n\n#AppSec@bhhub \n\n\u2728 Zero-Click RCE in Windsurf, Silent Exec in Cursor &amp; Claude Code: OX Security's MCP Supply Chain Advisory (CVE-2026-30615)\nURL\nA prompt-injection flaw in the Model Context Protocol silently overwrites mcp.json and auto-registers a malicious STDIO server \u2014 in Windsurf (CVE-2026-30615) this requires zero user interaction; Cursor, VS Code, Claude Code, and Gemini-CLI are also affected, exposing an estimated 200,000 instances across a supply chain with 150M+ downloads.\n\n#RedTeam@bhhub \n\n\u2728 GTIG AI Threat Tracker (May 12): Adversaries Graduate to Industrial-Scale AI Use \u2014 APT45 Mass CVE Analysis, Autonomous Malware, Supply Chain Compromises\nURL\nGoogle's threat intelligence unit documents the transition from AI experimentation to industrialised adversarial workflows: APT45 submitting thousands of recursive CVE prompts, actors deploying AI-modified malware (CANFAIL, LONGSTREAM), and UNC6780 compromising Trivy, Checkmarx, and LiteLLM GitHub Actions in a coordinated supply chain campaign to steal cloud credentials at build time.\n\n\u2728 Decepticon v1.0.15: Open-Source Autonomous Red Team Agent Ships 17 Kill-Chain Specialists\nURL\nPurpleAILAB released a production-grade autonomous multi-agent hacking platform \u2014 17 specialist sub-agents cover every kill-chain phase from recon to persistence, running inside sandboxed Kali sessions with no human micromanagement required.\n\n#BlueTeam@bhhub\n\n\u2728 Microsoft MDASH: 100+ AI Agents Score 88.45% on CyberGym Benchmark, Uncover 16 Windows Vulns (4 Critical RCEs) in One Run\nURL\nMicrosoft's internal agentic scanner (MDASH) orchestrates more than 100 frontier and distilled models to autonomously find, debate, and prove bugs end-to-end \u2014 its first public run uncovered 16 Windows vulnerabilities including four critical RCEs in tcpip.sys and the IKEv2 service, scored 88.45% on CyberGym (next best: 83.1%), and achieved 100% recall on a five-year MSRC vuln set in tcpip.sys.\n\n\u2728 ARGUS: Provenance-Aware LLM Agent Defense Cuts Prompt Injection Success Rate to 3.8% While Preserving 87.5% Task Utility\nURL\nARGUS builds an influence provenance graph that tracks how untrusted context propagates into agent decisions and blocks execution unless the action is justified by trustworthy evidence \u2014 achieving 3.8% attack success rate (vs. 60\u201390% baselines) while remaining robust against adaptive white-box adversaries across four agentic domains and eight attack vectors.", "creation_timestamp": "2026-07-12T06:00:05.457775Z"}, {"uuid": "6344d7c1-612e-4865-bd2d-3fab9e722420", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26030", "type": "seen", "source": "https://t.me/bhhub/1194", "content": "Weekly 8 AI &amp; Cyber signals to act on (May 11-17)\n\n#AISecurity@bhhub \n\n\u2728 Prompt Injection to Host RCE: Microsoft Discloses Two Critical Semantic Kernel Flaws (CVE-2026-25592 + CVE-2026-26030)\nURL\nA single injected prompt escalates to full host takeover in Microsoft's Semantic Kernel Python SDK (CVSS 10.0 arbitrary file write) and its .NET SessionsPythonPlugin.\n\n\u2728 LiteLLM Pre-Auth SQL Injection (CVE-2026-42208) Exploited 36 Hours After Disclosure \u2014 Now on CISA KEV\nURL\nAn unauthenticated attacker can read and modify the LLM gateway's database via a crafted Authorization header (CVSS 9.3); active exploitation began within 36 hours of the GitHub advisory, with CISA ordering federal patch by May 11.\n\n\u2728 Google GTIG Confirms First AI-Developed Zero-Day in the Wild \u2014 2FA Bypass Intended for Mass Exploitation\nURL\nA criminal group used an AI model to write a working 2FA-bypass exploit targeting a popular open-source web admin tool and planned a mass exploitation campaign.\n\n#AppSec@bhhub \n\n\u2728 Zero-Click RCE in Windsurf, Silent Exec in Cursor &amp; Claude Code: OX Security's MCP Supply Chain Advisory (CVE-2026-30615)\nURL\nA prompt-injection flaw in the Model Context Protocol silently overwrites mcp.json and auto-registers a malicious STDIO server \u2014 in Windsurf (CVE-2026-30615) this requires zero user interaction; Cursor, VS Code, Claude Code, and Gemini-CLI are also affected, exposing an estimated 200,000 instances across a supply chain with 150M+ downloads.\n\n#RedTeam@bhhub \n\n\u2728 GTIG AI Threat Tracker (May 12): Adversaries Graduate to Industrial-Scale AI Use \u2014 APT45 Mass CVE Analysis, Autonomous Malware, Supply Chain Compromises\nURL\nGoogle's threat intelligence unit documents the transition from AI experimentation to industrialised adversarial workflows: APT45 submitting thousands of recursive CVE prompts, actors deploying AI-modified malware (CANFAIL, LONGSTREAM), and UNC6780 compromising Trivy, Checkmarx, and LiteLLM GitHub Actions in a coordinated supply chain campaign to steal cloud credentials at build time.\n\n\u2728 Decepticon v1.0.15: Open-Source Autonomous Red Team Agent Ships 17 Kill-Chain Specialists\nURL\nPurpleAILAB released a production-grade autonomous multi-agent hacking platform \u2014 17 specialist sub-agents cover every kill-chain phase from recon to persistence, running inside sandboxed Kali sessions with no human micromanagement required.\n\n#BlueTeam@bhhub\n\n\u2728 Microsoft MDASH: 100+ AI Agents Score 88.45% on CyberGym Benchmark, Uncover 16 Windows Vulns (4 Critical RCEs) in One Run\nURL\nMicrosoft's internal agentic scanner (MDASH) orchestrates more than 100 frontier and distilled models to autonomously find, debate, and prove bugs end-to-end \u2014 its first public run uncovered 16 Windows vulnerabilities including four critical RCEs in tcpip.sys and the IKEv2 service, scored 88.45% on CyberGym (next best: 83.1%), and achieved 100% recall on a five-year MSRC vuln set in tcpip.sys.\n\n\u2728 ARGUS: Provenance-Aware LLM Agent Defense Cuts Prompt Injection Success Rate to 3.8% While Preserving 87.5% Task Utility\nURL\nARGUS builds an influence provenance graph that tracks how untrusted context propagates into agent decisions and blocks execution unless the action is justified by trustworthy evidence \u2014 achieving 3.8% attack success rate (vs. 60\u201390% baselines) while remaining robust against adaptive white-box adversaries across four agentic domains and eight attack vectors.", "creation_timestamp": "2026-07-13T00:00:51.049716Z"}]}