CVE-2026-34172

Name of the Vulnerable Software and Affected Versions Giskard versions prior to 0.3.4 Giskard versions prior to 1.0.2b1

Description Giskard, a Python library for testing agentic systems, contains a flaw where the ChatWorkflow.chat() method directly uses a string argument as a Jinja2 template source with a non-sandboxed environment. This allows a developer who passes user-supplied input to this method to execute arbitrary code through Jinja2 class traversal. The chat method and message parameter are designed to accept user input, but the input is silently parsed as a Jinja2 template instead of being treated as plain text. The vulnerability stems from the use of a standard Jinja2 Environment instead of a SandboxedEnvironment, which lacks restrictions on attribute access. This enables attackers to traverse class hierarchies and ultimately execute system commands. A proof of concept demonstrates the ability to access and execute functions like os.popen(), leading to remote code execution on the server.

Recommendations Update to Giskard version 0.3.4 or later. Update to Giskard version 1.0.2b1 or later.