Agents
CVE-2026-7784: NagaAgent Skills Endpoint Path Traversal Enables Remote File Access (CVSS 7.3)
A path traversal vulnerability was disclosed in RTGS2017 NagaAgent up to v5.1.0, affecting the Skills Endpoint in apiserver/routes/extensions.py. The user-controlled 'Name' parameter lacks path normalization, enabling an external attacker to traverse outside the intended directory and read or overwrite files with no user interaction or special privileges required. The exploit is publicly disclosed. This adds to the growing pattern of skills/plugin systems being the weakest link in agent architectures.
↳ Follow the thread