Home

Description

A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297. This impacts the function generate_df of the file backend/app/ai/code_execution/code_execution.py. Such manipulation leads to injection. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 0.0.298 will fix this issue. The name of the patch is 47b20bcda31264635faff7f6b1c8095abe1861c6. It is recommended to upgrade the affected component.

PUBLISHED Reserved 2026-03-20 | Published 2026-03-20 | Updated 2026-03-24 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Injection

Improper Neutralization

Product status

0.0.297
affected

0.0.298
unaffected

Timeline

2026-03-20:Advisory disclosed
2026-03-20:VulDB entry created
2026-03-20:VulDB entry last update

Credits

Goku (VulDB User) reporter

References

vuldb.com/?id.352065 (VDB-352065 | bagofwords1 bagofwords code_execution.py generate_df injection) vdb-entry technical-description

vuldb.com/?ctiid.352065 (VDB-352065 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.773890 (Submit #773890 | https://bagofwords.com/ bagofwords <=0.0.297 Remote command execution) third-party-advisory

github.com/bagofwords1/bagofwords/issues/60 issue-tracking

github.com/bagofwords1/bagofwords/pull/63 issue-tracking patch

github.com/Ka7arotto/cve/blob/main/bagofwords-rce.md exploit

github.com/...ommit/47b20bcda31264635faff7f6b1c8095abe1861c6 patch

github.com/bagofwords1/bagofwords/releases/tag/v0.0.298 patch

github.com/bagofwords1/bagofwords/ product

cve.org (CVE-2026-4500)

nvd.nist.gov (CVE-2026-4500)

Download JSON