HIGH
OpenBMB
CVE published 2026-07-13
CVE-2026-26396
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then. OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter 'filename' is user-controllable and is concatenated into the file path to be rea [truncated]