PatchSiren

OpenBMB CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH OpenBMB CVE published 2026-07-13

CVE-2026-26396

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then. OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter 'filename' is user-controllable and is concatenated into the file path to be rea [truncated]