CVE-2026-26057

{"id": "CVE-2026-26057", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-02-19T19:22:29.537", "references": [{"url": "https://github.com/cisco-ai-defense/skill-scanner/commit/1e35e57f3051ecc89ba845ae7206321c8eac20a1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cisco-ai-defense/skill-scanner/security/advisories/GHSA-ppfx-73j5-fhxc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service (DoS) condition or upload arbitrary files. This vulnerability is due to an erroneous binding to multiple interfaces. An attacker could exploit this vulnerability by sending API requests to a device exposing the affected API Server. A successful exploit could allow the attacker to consume an excessive amount of resources (memory starvation) or to upload files to arbitrary folders on the affected device. This vulnerability affects Skill-scanner 1.0.1 and earlier releases when the API Server is enabled. The API Server is not enabled by default. Skill-scanner software releases 1.0.2 and later contain the fix for this vulnerability."}, {"lang": "es", "value": "Skill Scanner es un esc\u00e1ner de seguridad para Habilidades de Agentes de IA que detecta inyecci\u00f3n de prompts, exfiltraci\u00f3n de datos y patrones de c\u00f3digo malicioso. Una vulnerabilidad en el API Server de Skill Scanner podr\u00eda permitir a un atacante remoto no autenticado interactuar con la API del servidor y o bien desencadenar una condici\u00f3n de denegaci\u00f3n de servicio (DoS) o cargar archivos arbitrarios. Esta vulnerabilidad se debe a una vinculaci\u00f3n err\u00f3nea a m\u00faltiples interfaces. Un atacante podr\u00eda explotar esta vulnerabilidad enviando solicitudes de API a un dispositivo que expone el API Server afectado. Un exploit exitoso podr\u00eda permitir al atacante consumir una cantidad excesiva de recursos (agotamiento de memoria) o cargar archivos en carpetas arbitrarias en el dispositivo afectado. Esta vulnerabilidad afecta a Skill-scanner 1.0.1 y versiones anteriores cuando el API Server est\u00e1 habilitado. El API Server no est\u00e1 habilitado por defecto. Las versiones de software de Skill-scanner 1.0.2 y posteriores contienen la correcci\u00f3n para esta vulnerabilidad."}], "lastModified": "2026-02-26T02:56:08.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:skill_scanner:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "7C5695DF-C090-4D35-85DA-39F2FE44B879", "versionEndExcluding": "1.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}