{"data":{"id":"98bcb889-d6d1-4e4a-a086-1957b0969a8d","title":"CVE-2026-45539: Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive ","summary":"Microsoft APM, a dependency manager for AI agents, had a vulnerability in versions 0.5.4 to 0.12.4 where symbolic links (shortcuts that point to other files) in downloaded packages were followed without checking, potentially allowing attackers to read or write arbitrary files on a developer's machine. The vulnerability went undetected by security checks because the resulting files were not flagged by the package hash verification, security scans, or audit tools.","solution":"This vulnerability is fixed in version 0.13.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-45539","publishedAt":"2026-05-15T17:16:48.887Z","cveId":"CVE-2026-45539","cweIds":["CWE-59","CWE-200"],"cvssScore":"7.4","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft APM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-15T17:16:48.887Z","capecIds":["CAPEC-116"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}