CVE-2026-35002

Source
https://cve.org/CVERecord?id=CVE-2026-35002
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35002.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35002
Aliases
Published
2026-04-02T14:34:14.538Z
Modified
2026-07-08T08:12:41.289926172Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution
Details

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval(). Attackers can influence the fieldtype value in a FunctionCall to achieve remote code execution.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "cbf675521d4d2281925a051784a3b94172e56416"
                },
                {
                    "last_affected": "cbf675521d4d2281925a051784a3b94172e56416"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35002.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-95"
    ]
}
References

Affected packages

Git / github.com/agno-agi/agno

Affected ranges

Type
GIT
Repo
https://github.com/agno-agi/agno
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:agno:agno:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.24"
        }
    ]
}

Affected versions

v.*
v.1.1.13
v.1.3.2
v.1.5.0
v0.*
v0.1.6
v0.1.7
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.1.0
v1.1.10
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.3
v1.3.4
v1.3.5
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.5.1
v1.5.10
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.12
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.9
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.2
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.3
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35002.json"