VYPR
Critical severity9.9NVD Advisory· Published Feb 6, 2026· Updated Apr 15, 2026

CVE-2026-25592

CVE-2026-25592

Description

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
semantic-kernelPyPI
< 1.39.31.39.3
Microsoft.SemanticKernel.CoreNuGet
< 1.71.01.71.0

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

3