{"data":{"id":"c98d1ade-c9fd-4c40-84d8-ba9117dafbdf","title":"CVE-2026-41208: Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @papercl","summary":"Paperclip is a Node.js server and React UI that manages multiple AI agents to run a business. Versions before 2026.416.0 have a privilege escalation vulnerability where an attacker with an agent API key (a credential that identifies an agent) can trick the system into running arbitrary OS commands (unauthorized instructions executed on the computer) on the Paperclip server by injecting malicious commands into a configuration field that the server later executes.","solution":"@paperclipai/server version 2026.416.0 fixes the issue.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-41208","publishedAt":"2026-04-23T02:16:18.670Z","cveId":"CVE-2026-41208","cweIds":["CWE-78"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Paperclip","@paperclipai/server"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-23T02:16:18.670Z","capecIds":["CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}