CVE-2026-26030

CRITICAL EPSS 85.3%
Published Feb 19, 20264mo ago · Modified Jun 17, 20262w ago
9.9 CVSS 3.1
Critical
Find Similar
Published Feb 19, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.

CVSS Details

Base Score
9.9
Exploitability
3.1
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
85.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
microsoftsemantic_kernel* <1.39.4

References 3

  • github.com https://github.com/microsoft/semantic-kernel/pull/13505
    Issue TrackingPatch
  • github.com https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4
    Release Notes
  • github.com https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx
    PatchVendor Advisory

Remediation

  • github.com https://github.com/microsoft/semantic-kernel/pull/13505
    Issue TrackingPatch
  • github.com https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx
    PatchVendor Advisory