PYSEC-2026-255

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/agentscope/PYSEC-2026-255.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-255
Aliases
Published
2026-06-29T11:50:35.430041Z
Modified
2026-07-01T20:22:47.633996Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
AgentScope path traversal vulnerability in save-workflow
Details

A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope versions prior to the fix. This vulnerability allows an attacker to read and write arbitrary JSON files on the filesystem, potentially leading to the exposure or modification of sensitive information such as configuration files, API keys, and hardcoded passwords.

References

Affected packages

PyPI / agentscope

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.1.1

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5a1
0.0.5
0.0.6a1
0.0.6a2
0.1.0
0.1.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/agentscope/PYSEC-2026-255.yaml"