CVE-2026-46383: Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM conta
mediumvulnerability
security
Summary
Microsoft APM is a tool that manages dependencies for AI agents, and versions before 0.13.0 have a security flaw on Windows systems. When installing a bundle (a package of code) from a .tar.gz file (a compressed archive format), the tool extracts files without properly checking if any file paths could escape the intended folder, potentially allowing an attacker to place files anywhere on the system by using absolute paths like D:/.
Solution / Mitigation
This vulnerability is fixed in version 0.13.0.
Vulnerability Details
CVSS Score
5.5(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
local
Attack Complexity
low
Privileges Required
none
User Interaction
required
Disclosure Date
May 15, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-46383
First tracked: May 15, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%