Platform
python
Component
letta-ai/letta
Fixed in
0.16.5
A code injection vulnerability has been identified in letta-ai letta version 0.16.4. This flaw stems from improper neutralization of directives within dynamically evaluated code, allowing attackers to potentially execute arbitrary commands. The vulnerability is remotely exploitable and a public exploit is already available, increasing the risk of immediate exploitation. Affected versions include 0.16.4.
Successful exploitation of CVE-2026-4965 allows an attacker to inject and execute arbitrary code on the system running letta-ai letta. This can lead to complete system compromise, including data theft, modification, or destruction. Given the availability of a public exploit, the potential for widespread exploitation is significant. The attack vector is remote, meaning an attacker does not need local access to exploit the vulnerability. This vulnerability builds upon an incomplete fix for CVE-2025-6101, suggesting a history of similar issues within the project.
CVE-2026-4965 is actively being exploited, as evidenced by the public availability of a proof-of-concept. The vulnerability was disclosed on 2026-03-27. The vendor was contacted but did not respond. The presence of a public exploit significantly increases the risk of widespread exploitation. It is recommended to prioritize patching or mitigation efforts immediately.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4965 is to upgrade to a patched version of letta-ai letta. As no fixed version is currently specified, carefully review the project's release notes and consider rolling back to a previous, known-stable version if the upgrade introduces compatibility issues. Implement input validation and sanitization on any user-supplied data used in dynamically evaluated code. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. Monitor system logs for unusual activity or attempts to execute arbitrary commands.
Actualice la biblioteca letta-ai letta a una versión corregida. Dado que no hay una versión fija disponible, se recomienda monitorear el proyecto para futuras actualizaciones o considerar alternativas que no sean vulnerables a la inyección de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4965 is a code injection vulnerability in letta-ai letta version 0.16.4, allowing remote attackers to execute arbitrary code due to improper directive neutralization.
If you are using letta-ai letta version 0.16.4, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
Upgrade to a patched version of letta-ai letta. As no fixed version is specified, review release notes and consider rolling back if necessary.
Yes, a public exploit for CVE-2026-4965 is available, indicating active exploitation is likely occurring.
Due to lack of vendor response, an official advisory may not be available. Monitor the letta-ai project's website and relevant security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.