CVE-2026-2256

Name of the Vulnerable Software and Affected Versions ModelScope ms-agent versions v1.6.0rc1 and earlier

Description A command injection flaw exists in ModelScope's ms-agent, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input. The vulnerability stems from improper input sanitization within the Shell tool, where a regex-based blacklist is ineffective against obfuscated attacks. Successful exploitation can lead to full system compromise, including data exfiltration, persistence, and lateral movement. The check safe() function, intended to filter malicious commands, can be bypassed. The vulnerability affects AI agent frameworks and autonomous tooling globally.

Recommendations ModelScope ms-agent versions prior to v1.6.0rc1 are affected. Isolate or sandbox the MS-Agent framework. Enforce least-privilege permissions for the MS-Agent framework. Trust only sanitized inputs to the MS-Agent framework. Replace the current regex-based blacklist with a strict allowlist for input validation.