Platform
python
Component
scrapegraph-ai
Fixed in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
1.9.1
1.10.1
1.11.1
1.12.1
1.13.1
1.14.1
1.15.1
1.16.1
1.17.1
1.18.1
1.19.1
1.20.1
1.21.1
1.22.1
1.23.1
1.24.1
1.25.1
1.26.1
1.27.1
1.28.1
1.29.1
1.30.1
1.31.1
1.32.1
1.33.1
1.34.1
1.35.1
1.36.1
1.37.1
1.38.1
1.39.1
1.40.1
1.41.1
1.42.1
1.43.1
1.44.1
1.45.1
1.46.1
1.47.1
1.48.1
1.49.1
1.50.1
1.51.1
1.52.1
1.53.1
1.54.1
1.55.1
1.56.1
1.57.1
1.58.1
1.59.1
1.60.1
1.61.1
1.62.1
1.63.1
1.64.1
1.65.1
1.66.1
1.67.1
1.68.1
1.69.1
1.70.1
1.71.1
1.72.1
1.73.1
1.74.1
CVE-2026-5532 is a command injection vulnerability discovered in ScrapeGraphAI, affecting versions from 1.0.0 through 1.74.0. This flaw allows attackers to execute arbitrary operating system commands, potentially leading to complete system compromise. A fix is available in version 1.10.0, and the vulnerability has been publicly disclosed with a proof-of-concept available.
The command injection vulnerability in ScrapeGraphAI allows an attacker to execute arbitrary commands on the underlying system. This could involve gaining unauthorized access to sensitive data, installing malware, or even taking complete control of the server. Given the remote nature of the exploit, an attacker could potentially leverage this vulnerability to pivot to other systems within the network, significantly expanding the blast radius. The public availability of a proof-of-concept increases the likelihood of exploitation.
This vulnerability has been publicly disclosed and a proof-of-concept is available, indicating a high probability of exploitation. It was published on 2026-04-05. The vendor was contacted but did not respond. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring.
Exploit Status
EPSS
0.86% (75% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5532 is to upgrade ScrapeGraphAI to version 1.10.0 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing input validation and sanitization on any user-supplied data used in system commands. While a direct WAF rule is difficult to implement without specific command patterns, restricting outbound network connections from the ScrapeGraphAI process can limit potential damage. After upgrading, confirm the vulnerability is resolved by attempting to trigger the vulnerable function with malicious input and verifying that the command is not executed.
Update to version 1.10.0 or higher to mitigate the operating system command injection vulnerability. Review the source code to identify and correct the root cause of the vulnerability, ensuring that user input is properly validated and escaped before being used in operating system commands. Implement additional security measures, such as using an isolated execution environment, to limit the potential impact of the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5532 is a command injection vulnerability affecting ScrapeGraphAI versions 1.0.0 through 1.74.0, allowing attackers to execute arbitrary OS commands.
You are affected if you are using ScrapeGraphAI versions 1.0.0 to 1.74.0. Upgrade to 1.10.0 or later to mitigate the risk.
Upgrade ScrapeGraphAI to version 1.10.0 or later. Consider input validation as a temporary workaround if an upgrade is not immediately possible.
A proof-of-concept is publicly available, indicating a high probability of exploitation. Monitor your systems closely.
Refer to the ScrapeGraphAI project's official release notes and security advisories for details on the fix and vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.