CVE-2026-42079: PPTAgent: Arbitrary Code Execution via Python eval() of LLM-Generated Code with Builtins in Scope

May 5, 2026

This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.

CodeExecutor.execute_actions (pptagent/apis.py:126-205) processes LLM-generated slide editing actions using Python’s eval():

References

github.com/advisories/GHSA-89g2-xw5c-v95p
github.com/icip-cas/PPTAgent
github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00
github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p
nvd.nist.gov/vuln/detail/CVE-2026-42079

Code Behaviors & Features

Detect and mitigate CVE-2026-42079 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →