PYSEC-2026-396

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/llama-index-core/PYSEC-2026-396.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-396
Aliases
Published
2026-06-29T11:50:39.698454Z
Modified
2026-06-29T12:15:28.094773061Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
llama-index-core Command Injection vulnerability
Details

A command injection vulnerability exists in the run-llama/llamaindex repository, specifically within the safeeval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.

References

Affected packages

PyPI / llama-index-core

Package

Name
llama-index-core
View open source insights on deps.dev
Purl
pkg:pypi/llama-index-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.24

Affected versions

0.*
0.9.41
0.9.42
0.9.42.post3
0.9.43
0.9.44
0.9.44.post1
0.9.44.post2
0.9.44.post3
0.9.45
0.9.46
0.9.47
0.9.48
0.9.49
0.9.50
0.9.50.post1
0.9.51
0.9.52
0.9.53
0.9.54
0.9.55
0.9.56
0.10.0
0.10.1
0.10.2
0.10.3
0.10.5a1
0.10.5a2
0.10.5a3
0.10.5a4
0.10.5a5
0.10.5a6
0.10.5a7
0.10.5a8
0.10.5a9
0.10.5a10
0.10.5
0.10.6
0.10.6.post1
0.10.7
0.10.8
0.10.8.post1
0.10.9
0.10.10
0.10.11
0.10.11.post1
0.10.12
0.10.13
0.10.14
0.10.14.post1
0.10.15
0.10.16
0.10.16.post1
0.10.17
0.10.18
0.10.18.post1
0.10.19
0.10.20
0.10.20.post1
0.10.20.post2
0.10.20.post3
0.10.21
0.10.21.post1
0.10.22
0.10.23
0.10.23.post1
0.10.24a1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/llama-index-core/PYSEC-2026-396.yaml"