PatchSiren

Aider-AI CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW Aider-AI CVE published 2026-05-31

CVE-2026-10177

A server-side request forgery (SSRF) vulnerability exists in Aider-AI Aider version 0.86.3, specifically within the `requests.get` function in `api_docs.py` when handling the AWS EC2 Metadata Endpoint component. The vulnerability allows remote attackers to manipulate requests to unauthorized destinations. The issue has been publicly disclosed with an available exploit, and a pull request containing a fix [truncated]

LOW Aider-AI CVE published 2026-05-31

CVE-2026-10176

Aider-AI Aider 0.86.3 contains a SQL injection weakness in its Code Generation Workflow component. The vulnerability is remotely exploitable and has been publicly disclosed, though the vendor has not yet responded to early notification. The CVSS 4.0 vector indicates network attack vector with low privileges required and low impacts across confidentiality, integrity, and availability. The CNA-assigned weak [truncated]

LOW Aider-AI CVE published 2026-05-31

CVE-2026-10174

Aider-AI Aider 0.86.3 contains a protection mechanism failure in its Pre-commit Hook Handler, specifically within aider/args.py. The git-commit-verify argument can be manipulated to bypass intended protections. The vulnerability is remotely exploitable and has publicly available exploit material. The vendor was notified via an issue report prior to publication but had not responded at the time of CVE publ [truncated]