All 7 CVE vulnerabilities found in XAgent, with AI-generated Chinese analysis, references, and POCs.
Vendor: Trellix
| CVE ID | Title | CVSS | Severity | Paused |
|---|---|---|---|---|
| CVE-2026-4959 | OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication CWE-306 | 7.3 | High | 2026-03-27 |
| CVE-2026-4958 | OpenBMB XAgent WebSocket Endpoint replayer.py ReplayServer.send_data authorization CWE-639 | 3.1 | Low | 2026-03-27 |
| CVE-2026-4957 | OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file CWE-532 | 2.7 | Low | 2026-03-27 |
| CVE-2026-3954 | OpenBMB XAgent workspace.py workspace path traversal CWE-22 | 6.5 | Medium | 2026-03-11 |
| CVE-2025-6281 | OpenBMB XAgent community path traversal CWE-22 | 5.5 | Medium | 2025-06-19 |
| CVE-2024-2007 | OpenBMB XAgent Privileged Mode sandbox CWE-265 | 5.3 | Medium | 2024-02-29 |
| CVE-2022-4326 | Trellix xAgent permission bypass vulnerability CWE-281 | 5.5 | Medium | 2022-12-16 |
All 7 known CVE vulnerabilities affecting XAgent with full Chinese analysis, references, and POCs where available.