External risk intelligence

Attackers can run commands on ai-scanner systems affecting customer data and service.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-41512

An external attacker can exploit the AI-scanner to run unauthorized commands on the system. This allows them to take full control of the server, potentially exposing sensitive model data and security credentials.

3Halo Surface Signal

Code Injection

Mozilla 0din Scanner

1.0.0 to before 1.4.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-41512

The tool is an AI safety scanner, which is typically used as an internal security utility or developer tool within a private pipeline rather than a public-facing edge service. While it accepts external inputs that could lead to exposure if improperly deployed, it is not designed as a public internet gateway, and the context does not confirm it is commonly exposed as an internet-facing service.

Horizon Alert

Summary of the vulnerability and why it matters

An issue in ai-scanner allows for remote code execution through JavaScript injection in the Playwright service. This means an attacker could potentially run malicious code on a system using the affected software.

Attackers can execute code remotely.
Existing access is required to exploit.
This impacts the integrity of systems using the scanner.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access could exploit this flaw by injecting malicious JavaScript into the `BrowserAutomation::PlaywrightService` component of ai-scanner. This would allow them to execute arbitrary code on the server, potentially leading to a complete system compromise.

Requires authenticated access.
Targets `BrowserAutomation::PlaywrightService`.
JavaScript injection leads to RCE.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability in ai-scanner, specifically a remote code execution via JavaScript injection, is patched in version 1.4.1. Attackers may find this type of vulnerability attractive due to the potential for full system compromise. However, the tool's typical deployment as an internal security utility rather than a public-facing service might limit its appeal for widespread exploitation.

Remote code execution is a high-value target.
Patch is available; exploit likely unwritten.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching `ai-scanner` to version 1.4.1 to address a critical remote code execution vulnerability. If patching is delayed, isolate services using vulnerable versions to prevent exploitation.

Update `ai-scanner` to version 1.4.1.
Block network access to vulnerable `ai-scanner` instances.
Monitor for suspicious network activity.

Frequently asked questions

What is the primary function of ai-scanner and what kind of vulnerability does it contain?

ai-scanner is an AI model safety scanner built on NVIDIA garak. It contains a remote code execution vulnerability due to JavaScript injection in its `BrowserAutomation::PlaywrightService` component.

What is the weakness class for CVE-2026-41512 and what is the scope of its impact?

The weakness class for CVE-2026-41512 is CWE-94, which relates to code injection. The vulnerability allows for remote code execution, and the scope is changed (S:C) because an attacker can affect resources beyond their own security scope.

How can an attacker exploit the vulnerability in ai-scanner, and what is negated?

An attacker with authenticated access can exploit this flaw by injecting malicious JavaScript into the `BrowserAutomation::PlaywrightService`. This allows them to execute arbitrary code on the server. The vulnerability requires authenticated access, which is a prerequisite for exploitation.

What is the relevance of this vulnerability, and what is its Halo Surface Signal rating?

The remote code execution via JavaScript injection is a high-value target for attackers. While a patch is available, exploit development is possible. The Halo Surface Signal is rated as 'Possible' because the tool, typically an internal security utility, is not designed as a public-facing service, although it could be improperly deployed.

What is the recommended practical response to this vulnerability?

The critical remote code execution vulnerability in ai-scanner should be addressed by patching to version 1.4.1. If immediate patching is not feasible, services using vulnerable versions should be isolated to prevent exploitation, and suspicious network activity should be monitored.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.