Arbitrary Code Execution Vulnerability in PPTAgent Framework by icip-cas
CVE-2026-42079

8.6HIGH

Key Information:

Vendor: Icip-cas
Status: Pptagent
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42079?

The PPTAgent framework, designed for reflective PowerPoint generation, had a security flaw that allowed for arbitrary code execution through unsafe Python eval() calls of code generated by LLMs. This happened when builtins were still in scope, exposing systems utilizing the framework to potential exploitation. The vulnerability has since been addressed in commit 418491a, enhancing the overall security posture of PPTAgent.

Affected Version(s)

PPTAgent < 418491a9a1c02d9d93194b5973bb58df35cf9d00

References

https://github.com/icip-cas/PPTAgent/security/advisories/...

x_refsource_CONFIRM

https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42079 Data

JSON

Icip-cas

What is CVE-2026-42079?

Affected Version(s)

References

CVSS V3.1

Timeline