ACCORDING to Microsoft Defender Security Research Team, the article outlines two critical vulnerabilities in Microsoft’s Semantic Kernel, CVE-2026-26030 and CVE-2026-25592, which could allow a prompt injection to escalate to host-level remote code execution. The CVE-2026-26030 flaw involves an unsafe string interpolation in the In-Memory Vector Store used by the Search Plugin, where an attacker can craft a payload that escapes the lambda filter and executes arbitrary shell commands such as calc[.]exe.
A four-layer mitigation was implemented, including an AST allowlist, a function-call allowlist, a dangerous-attributes blocklist, and a restricted name-node policy, with a patch that requires upgrading to Semantic Kernel 1.39.4 or later.
Separately, CVE-2026-25592 describes an Arbitrary File Write through the SessionsPythonPlugin, where an exposed DownloadFileAsync tool in the .NET SDK could be prompted to write to the host’s Startup folder, enabling full host compromise, mitigated by removing the KernelFunction attribute and adding path validation. The post urges users to upgrade to shield agents and notes the vulnerability window for guidance on post-exploitation indicators and investigations.