CVE-2026-5831

MEDIUM 6.3

Agions taskflow-ai terminal_execute handlers.ts os command injection

CVSS Score

6.3

EPSS Score

0.7%

EPSS Percentile

73th

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminal_execute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading to version 2.1.9 will fix this issue. The patch is named c1550b445b9f24f38c4414e9a545f5f79f23a0fe. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CWE	CWE-78 CWE-77
Vendor	agions
Product	taskflow-ai
Published	Apr 9, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for agions taskflow-ai

Be the first to know when new medium vulnerabilities affecting agions taskflow-ai are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Agions / taskflow-ai

2.1.0 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.1.7 2.1.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/356278 vuldb.com: https://vuldb.com/vuln/356278/cti vuldb.com: https://vuldb.com/submit/789515 github.com: https://github.com/Agions/taskflow-ai/issues/2 github.com: https://github.com/Agions/taskflow-ai/commit/c1550b445b9f24f38c4414e9a545f5f79f23a0fe github.com: https://github.com/Agions/taskflow-ai/releases/tag/v2.1.9 github.com: https://github.com/Agions/taskflow-ai/

Credits

🔍 BruceJin (VulDB User) VulDB CNA Team