Impact
An operating system command injection flaw exists in the create_sandbox_and_execute function of the GenerateCodeNode component of ScrapeGraphAI scrapegraph-ai. By supplying crafted input, an attacker can cause arbitrary commands to be executed on the host machine, potentially compromising confidentiality, integrity, and availability. The vulnerability can be triggered remotely and has been disclosed publicly.
Affected Systems
ScrapeGraphAI scrapegraph-ai versions up to 1.74.0 are vulnerable. The flaw resides in the GenerateCodeNode component’s create_sandbox_and_execute routine.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, and the EPSS score of approximately 1.45% (≈0.01449) suggests a low but non‑zero likelihood of exploitation. The exploit is public, can be launched remotely, and no official patch has been released, increasing the risk. The vulnerability is not listed in the CISA KEV catalog. Attackers can remotely invoke the vulnerable function, leading to command execution on the underlying operating system.
OpenCVE Enrichment