CVE-2026-42078 MEDIUM

CVE-2026-42078: PPTAgent: Arbitrary File Write + Directory Creation via markdown_table_to_image

Vendor Icip-Cas
Product PPTAgent
Weakness CWE-22 · Path traversal
Published May 4, 2026
Last update May 4, 2026

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. This issue has been patched via commit 418491a.

Key dates

02Disclosure timeline

May 4, 2026 CVE published
May 4, 2026 Record updated