PT-2026-53600 · Pypi · Semantic-Kernel

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v3.1

9.9

Crítica

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Impact

What kind of vulnerability is it? Who is impacted? An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the SessionsPythonPlugin

Patches

Has the problem been patched? What versions should users upgrade to? The problem has been fixed in Microsoft.SemanticKernel.Plugins.Core version 1.71.0. Users should upgrade to version 1.71.0 or higher.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

References

Are there any links users can visit to find out more?

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-531

Produtos afetados

Semantic-Kernel