CVE-2026-27961 — HIGH (8.8)

Q: How severe is CVE-2026-27961?

CVE-2026-27961 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-27961?

Check the references section above for vendor advisories and patch information. Affected products include: Agentatech Agenta.

Vulnerability Description

Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Agentatech	Agenta	< 0.86.8

Related Weaknesses (CWE)

CWE-1336

References

https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763Vendor Advisory

FAQ

What is CVE-2026-27961?

CVE-2026-27961 is a vulnerability with a CVSS score of 8.8 (HIGH). Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vul...

How severe is CVE-2026-27961?

CVE-2026-27961 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27961?

Check the references section above for vendor advisories and patch information. Affected products include: Agentatech Agenta.