{"data":{"id":"189533ed-ce89-465b-893f-91981bc0a6a2","title":"CVE-2026-46383: Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM conta","summary":"Microsoft APM is a tool that manages dependencies for AI agents, and versions before 0.13.0 have a security flaw on Windows systems. When installing a bundle (a package of code) from a .tar.gz file (a compressed archive format), the tool extracts files without properly checking if any file paths could escape the intended folder, potentially allowing an attacker to place files anywhere on the system by using absolute paths like D:/.","solution":"This vulnerability is fixed in version 0.13.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-46383","publishedAt":"2026-05-15T17:16:49.090Z","cveId":"CVE-2026-46383","cweIds":["CWE-22","CWE-73"],"cvssScore":"5.5","cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft APM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"local","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-15T17:16:49.090Z","capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}