プラットフォーム
python
コンポーネント
letta-ai/letta
修正版
0.16.5
A code injection vulnerability has been identified in letta-ai letta version 0.16.4. This flaw stems from improper neutralization of directives within dynamically evaluated code, allowing attackers to potentially execute arbitrary commands. The vulnerability is remotely exploitable and a public exploit is already available, increasing the risk of immediate exploitation. Affected versions include 0.16.4.
Successful exploitation of CVE-2026-4965 allows an attacker to inject and execute arbitrary code on the system running letta-ai letta. This can lead to complete system compromise, including data theft, modification, or destruction. Given the availability of a public exploit, the potential for widespread exploitation is significant. The attack vector is remote, meaning an attacker does not need local access to exploit the vulnerability. This vulnerability builds upon an incomplete fix for CVE-2025-6101, suggesting a history of similar issues within the project.
CVE-2026-4965 is actively being exploited, as evidenced by the public availability of a proof-of-concept. The vulnerability was disclosed on 2026-03-27. The vendor was contacted but did not respond. The presence of a public exploit significantly increases the risk of widespread exploitation. It is recommended to prioritize patching or mitigation efforts immediately.
Organizations and individuals using letta-ai letta version 0.16.4, particularly those deploying it in production environments or integrating it with other critical systems, are at significant risk. Systems where letta-ai letta processes user-supplied data without proper sanitization are especially vulnerable.
• python / supply-chain:
import os
import subprocess
# Check for the vulnerable version of letta-ai letta
process = subprocess.run(['pip', 'show', 'letta-ai'], capture_output=True, text=True)
output = process.stdout
if 'Version: 0.16.4' in output:
print('Vulnerable version detected!')• generic web: Check for unusual process executions or network connections originating from the letta-ai letta process. Monitor access logs for suspicious requests containing potentially malicious code.
disclosure
poc
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-4965 is to upgrade to a patched version of letta-ai letta. As no fixed version is currently specified, carefully review the project's release notes and consider rolling back to a previous, known-stable version if the upgrade introduces compatibility issues. Implement input validation and sanitization on any user-supplied data used in dynamically evaluated code. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. Monitor system logs for unusual activity or attempts to execute arbitrary commands.
Actualice la biblioteca letta-ai letta a una versión corregida. Dado que no hay una versión fija disponible, se recomienda monitorear el proyecto para futuras actualizaciones o considerar alternativas que no sean vulnerables a la inyección de código.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-4965 is a code injection vulnerability in letta-ai letta version 0.16.4, allowing remote attackers to execute arbitrary code due to improper directive neutralization.
If you are using letta-ai letta version 0.16.4, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
Upgrade to a patched version of letta-ai letta. As no fixed version is specified, review release notes and consider rolling back if necessary.
Yes, a public exploit for CVE-2026-4965 is available, indicating active exploitation is likely occurring.
Due to lack of vendor response, an official advisory may not be available. Monitor the letta-ai project's website and relevant security mailing lists for updates.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。