CVE-2026-39981

Name of the Vulnerable Software and Affected Versions AGiXT versions prior to 1.9.2

Description AGiXT is a dynamic AI Agent Automation Platform. The safe join() function in the essential abilities extension does not properly validate file paths, allowing authenticated attackers to use directory traversal sequences to read, write, or delete arbitrary files on the server. The vulnerability resides in the interaction between the /api/agent/MyAgent/command API endpoint, the execute command function, and the safe join() function within the essential abilities extension. The vulnerable parameter is filename within the command args of the read file command. This can lead to credential theft, persistent code execution, or denial of service.

Recommendations Update to AGiXT version 1.9.2 or later.