CVE-2026-15519: Inclusion of Functionality from Untrusted Control Sphere in usestrix strix
CVE-2026-15519 is a low-severity vulnerability in usestrix strix versions 1.0.0, 1.0.1, and 1.0.2. It involves inclusion of functionality from an untrusted control sphere via manipulation of an unknown function in the file system_prompt.jinja of the PyPI Handler component. The vulnerability can be exploited remotely but requires high attack complexity and is difficult to exploit. No official vendor response or patch is available.
AI Analysis
Technical Summary
This vulnerability affects usestrix strix up to version 1.0.2 and involves the inclusion of functionality from an untrusted control sphere due to manipulation of an unspecified function in the file system_prompt.jinja template within the PyPI Handler component. The attack can be performed remotely but requires a high level of complexity and is considered difficult to exploit. The vendor was contacted but did not respond, and no remediation or patch has been published. The CVSS 4.0 base score is 2.3, indicating low severity.
Potential Impact
The vulnerability allows an attacker to include functionality from an untrusted control sphere, which could potentially lead to unintended behavior or code execution within the affected component. However, the low CVSS score and high attack complexity suggest limited impact and low likelihood of successful exploitation. No known exploits are reported in the wild.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Due to the lack of vendor response, users should consider mitigating exposure by restricting access to the affected component or applying custom controls to validate inputs related to the PyPI Handler's system_prompt.jinja usage. Monitor vendor channels for any future advisories or patches. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-15519: Inclusion of Functionality from Untrusted Control Sphere in usestrix strix
Description
CVE-2026-15519 is a low-severity vulnerability in usestrix strix versions 1.0.0, 1.0.1, and 1.0.2. It involves inclusion of functionality from an untrusted control sphere via manipulation of an unknown function in the file system_prompt.jinja of the PyPI Handler component. The vulnerability can be exploited remotely but requires high attack complexity and is difficult to exploit. No official vendor response or patch is available.
CVSS v4.0
Score 2.3low
Affected software
cpe:2.3:a:usestrix:strix:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects usestrix strix up to version 1.0.2 and involves the inclusion of functionality from an untrusted control sphere due to manipulation of an unspecified function in the file system_prompt.jinja template within the PyPI Handler component. The attack can be performed remotely but requires a high level of complexity and is considered difficult to exploit. The vendor was contacted but did not respond, and no remediation or patch has been published. The CVSS 4.0 base score is 2.3, indicating low severity.
Potential Impact
The vulnerability allows an attacker to include functionality from an untrusted control sphere, which could potentially lead to unintended behavior or code execution within the affected component. However, the low CVSS score and high attack complexity suggest limited impact and low likelihood of successful exploitation. No known exploits are reported in the wild.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Due to the lack of vendor response, users should consider mitigating exposure by restricting access to the affected component or applying custom controls to validate inputs related to the PyPI Handler's system_prompt.jinja usage. Monitor vendor channels for any future advisories or patches. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-07-12T11:16:58.125Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5443d268715ace43e61ba8
Added to database: 07/13/2026, 01:48:02 UTC
Last enriched: 07/13/2026, 02:02:47 UTC
Last updated: 07/13/2026, 02:29:33 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.