CyberRota
← Ana sayfaya dön

CVE-2026-58449

CRITICAL · CVSS 9.8 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-06-30T22:16:58.397 · Çekilme zamanı: 2026-07-01T06:08:49.350241+00:00

CyberRota Yorumu

Uzaktan istismar edilebilir olabilir.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

Tespit Edilen Sinyaller
exploit remote code execution code execution

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-58449
Severity
CRITICAL
CVSS
9.8
EPSS
Yok

Orijinal NVD Açıklaması

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag.