CVE-2026-27961

CVE-2026-27961

Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.

Published Feb 27, 2026

https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763

CVSS ScoreHigh

8.8

Vulnerabilities

CVE-2026-27961

Published Feb 27, 2026

https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763

CVSS ScoreHigh

8.8

CVE-2026-27961 Security Details

CVE ID: CVE-2026-27961
CWE: CWE-1336
CVE Description: Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
Published: Feb 27, 2026
CVSS Score & Severity: 8.8High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.063%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763PROJECT

CVE-2026-27961 Security Details

CVE ID: CVE-2026-27961
CWE: CWE-1336
CVE Description: Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
Published: Feb 27, 2026
CVSS Score & Severity: 8.8High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.063%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763PROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2026-27961

CVE-2026-27961 Security Details

CVE-2026-27961 Security Details