PyPI: pydantic-ai
CVE-2026-25640
Safety vulnerability ID: SFTY-20260206-15384
Safety legacy ID: pyup.io-86134
Affected versions of the pydantic-ai package are vulnerable to Cross-site Scripting (XSS) due to an unvalidated version query parameter being used to build a CDN URL. In the Pydantic AI web UI served via Agent.to_web or clai web, the server constructs the frontend fetch URL from the request’s version parameter without neutralizing path traversal sequences, allowing it to retrieve and serve attacker-controlled HTML/JavaScript from another path on the same CDN instead of the intended UI bundle.
Overview
Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL
Advisory
Affected versions of the pydantic-ai package are vulnerable to Cross-site Scripting (XSS) due to an unvalidated version query parameter being used to build a CDN URL. In the Pydantic AI web UI served via Agent.to_web or clai web, the server constructs the frontend fetch URL from the request’s version parameter without neutralizing path traversal sequences, allowing it to retrieve and serve attacker-controlled HTML/JavaScript from another path on the same CDN instead of the intended UI bundle.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260206-15384/CVE-2026-25640
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25640
- https://github.com/advisories/GHSA-wjp5-868j-wqv7
- https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7
- https://nvd.nist.gov/vuln/detail/CVE-2026-25640
- https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0
- https://github.com/advisories/GHSA-wjp5-868j-wqv7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more