CVE-2026-45539: Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive
Summary
Microsoft APM, a dependency manager for AI agents, had a vulnerability in versions 0.5.4 to 0.12.4 where symbolic links (shortcuts that point to other files) in downloaded packages were followed without checking, potentially allowing attackers to read or write arbitrary files on a developer's machine. The vulnerability went undetected by security checks because the resulting files were not flagged by the package hash verification, security scans, or audit tools.
Solution / Mitigation
This vulnerability is fixed in version 0.13.0.
Vulnerability Details
7.4(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
network
low
none
required
May 15, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-45539
First tracked: May 15, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 92%