GHSA-2ww3-72rp-wpp4

Source

https://github.com/advisories/GHSA-2ww3-72rp-wpp4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2ww3-72rp-wpp4

Aliases

CVE-2026-25592

Published

2026-02-06T18:37:24Z

Modified

2026-02-06T22:26:16.755261Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK

Details

Impact

What kind of vulnerability is it? Who is impacted?

An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the SessionsPythonPlugin.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. Users should upgrade to version 1.70.0 or higher.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

References

Are there any links users can visit to find out more? - Sample showing safe use of the CodeInterpreterPlugin - PR to Add file upload security controls to SessionsPythonPlugin

Database specific

{
    "nvd_published_at": "2026-02-06T21:16:17Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:37:24Z",
    "severity": "CRITICAL"
}

References

Affected packages

NuGet / Microsoft.SemanticKernel.Core

Package

Name: Microsoft.SemanticKernel.Core; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.SemanticKernel.Core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.70.0

Affected versions

0.*

0.12.207.1-preview

0.13.277.1-preview

0.13.442.1-preview

0.14.547.1-preview

0.15.230531.5-preview

0.15.230609.2-preview

0.15.231219.1-preview

0.16.230615.1-preview

0.17.230626.1-preview

1.*

1.0.0-beta1

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-beta5

1.0.0-beta6

1.0.0-beta7

1.0.0-beta8

1.0.0-rc1

1.0.0-rc2

1.0.0-rc3

1.0.0-rc4

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.8.0

1.9.0

1.10.0

1.11.0

1.11.1

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.15.1

1.16.0

1.16.1

1.16.2

1.17.0

1.17.1

1.17.2

1.18.0-rc

1.18.1-rc

1.18.2

1.19.0

1.20.0

1.21.0

1.21.1

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.26.0

1.27.0

1.28.0

1.29.0

1.30.0

1.31.0

1.32.0

1.33.0

1.34.0

1.35.0

1.36.0

1.36.1

1.37.0

1.38.0

1.39.0

1.40.0

1.40.1

1.41.0

1.42.0

1.43.0

1.44.0

1.45.0

1.46.0

1.47.0

1.48.0

1.49.0

1.50.0

1.51.0

1.52.0

1.52.1

1.53.0

1.53.1

1.54.0

1.55.0

1.56.0

1.57.0

1.58.0

1.59.0

1.60.0

1.61.0

1.62.0

1.63.0

1.64.0

1.65.0

1.66.0

1.67.0

1.67.1

1.68.0

1.69.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json"

PyPI / semantic-kernel

Package

Name: semantic-kernel; View open source insights on deps.dev
Purl: pkg:pypi/semantic-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.39.3

Affected versions

0.*

0.0.1.dev0

0.1.0.dev0

0.2.0.dev0

0.2.1.dev0

0.2.2.dev0

0.2.3.dev0

0.2.4.dev0

0.2.5.dev0

0.2.6.dev0

0.2.7.dev0

0.2.8.dev0

0.2.9.dev0

0.3.0.dev0

0.3.1.dev0

0.3.2.dev0

0.3.3.dev0

0.3.4.dev0

0.3.5.dev0

0.3.6.dev0

0.3.7.dev0

0.3.8.dev0

0.3.9.dev0

0.3.10.dev0

0.3.11.dev0

0.3.12.dev0

0.3.13.dev0

0.3.14.dev0

0.3.15.dev0

0.4.0.dev0

0.4.1.dev0

0.4.2.dev0

0.4.3.dev0

0.4.4.dev0

0.4.5.dev0

0.4.6.dev0

0.4.7.dev0

0.5.0.dev0

0.5.1.dev0

0.9.0b1

0.9.1b1

0.9.2b1

0.9.3b1

0.9.4b1

0.9.5b1

0.9.6b1

0.9.7b1

0.9.8b1

0.9.9b1

1.*

1.0.0rc1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.10.0

1.10.1

1.11.0

1.12.0

1.12.1

1.13.0

1.14.0

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.18.1

1.18.2

1.19.0

1.20.0

1.21.0

1.21.1

1.21.2

1.21.3

1.22.0

1.22.1

1.23.0

1.23.1

1.24.0

1.24.1

1.25.0

1.26.0

1.26.1

1.27.0

1.27.1

1.27.2

1.28.0

1.28.1

1.29.0

1.30.0

1.31.0

1.32.0

1.32.1

1.32.2

1.33.0

1.34.0

1.35.0

1.35.1

1.35.2

1.35.3

1.36.0

1.36.1

1.36.2

1.37.0

1.37.1

1.38.0

1.39.0

1.39.1

1.39.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json"