CVE-2026-4500 identifies an injection vulnerability in the bagofwords1 bagofwords software, a component likely used for natural language processing or AI code execution tasks. The vulnerability resides in the generate_df function within the backend/app/ai/code_execution/code_execution.py file, affecting versions up to 0.0.297. Injection vulnerabilities occur when untrusted input is improperly handled, allowing attackers to inject malicious code or commands that the system executes. This particular flaw can be exploited remotely without authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability does not require system compromise or user action to exploit, but some privileges are needed, suggesting it may be exploitable by authenticated users with limited rights or through other means. The patch identified by commit 47b20bcda31264635faff7f6b1c8095abe1861c6 addresses the issue and is included in version 0.0.298. No public exploits have been observed in the wild yet, but the exploit code is publicly available, which could facilitate attacks. The vulnerability's presence in an AI code execution context raises concerns about potential manipulation of AI workflows or data processing pipelines, which could lead to data corruption or unauthorized code execution.

The injection vulnerability in bagofwords1 bagofwords can lead to unauthorized code execution or data manipulation within AI code execution environments. This can compromise the confidentiality of sensitive data processed by the system, integrity of AI models or datasets, and availability of AI services if exploited to disrupt operations. Since the attack can be launched remotely without user interaction, it increases the attack surface significantly. Organizations relying on this component for AI or NLP tasks may face risks of data breaches, corrupted AI outputs, or denial of service. The medium CVSS score reflects moderate impact, but the potential for AI workflow manipulation could have cascading effects in automated environments. The requirement for some privileges limits exploitation to environments where attackers have limited access, but this still poses a significant risk in multi-tenant or shared systems. The absence of known active exploits reduces immediate risk but does not eliminate the threat, especially given public exploit availability.

To mitigate CVE-2026-4500, organizations should immediately upgrade bagofwords1 bagofwords to version 0.0.298 or later, which contains the official patch. In environments where immediate upgrade is not feasible, implement strict input validation and sanitization around the generate_df function to prevent injection of malicious payloads. Employ network segmentation and access controls to limit exposure of the vulnerable component to untrusted networks. Monitor logs and AI execution outputs for anomalous behavior indicative of injection attempts. Restrict privileges of users and services interacting with the vulnerable function to the minimum necessary. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules targeting injection patterns specific to this component. Regularly audit AI code execution environments for unauthorized changes or suspicious activity. Finally, maintain awareness of threat intelligence updates for any emerging exploits targeting this vulnerability.