CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58449

criticalCVSS 9.8covered by 1 sourcefirst seen 2026-06-30
txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs import and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag.

⚡ Watch CVE-2026-58449

Get an email if CVE-2026-58449 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58449

CVE.org record

Embed the live status

CVE-2026-58449 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58449 status](https://www.csirts.com/badge/CVE-2026-58449)](https://www.csirts.com/cve/CVE-2026-58449)