ai-scanner RCE: Critical JavaScript Injection in BrowserAutomation
The National Vulnerability Database has disclosed CVE-2026-41512, a critical remote code execution (RCE) vulnerability in ai-scanner, an AI model safety scanner built on NVIDIA garak. This flaw, present in versions 1.0.0 through 1.4.0, stems from a JavaScript injection vulnerability within the BrowserAutomation::PlaywrightService component.
Rated with a CVSS score of 9.9 (CRITICAL), this vulnerability allows an authenticated attacker with low privileges to execute arbitrary code remotely. The attack vector is network-based, requires no user interaction, and has high impacts on confidentiality, integrity, and availability. It’s a classic CWE-94 issue — ‘Improper Control of Generation of Code (‘Code Injection’).
Defenders need to understand the attacker’s calculus here: low privileges, no user interaction, and a network vector make this highly exploitable. Any organization using ai-scanner must prioritize patching. The National Vulnerability Database confirms this issue has been patched in version 1.4.1. Upgrade immediately.
What This Means For You
- If your organization uses ai-scanner, specifically versions 1.0.0 to 1.4.0, you are exposed to critical remote code execution. Patch to version 1.4.1 immediately. Review your asset inventory for instances of ai-scanner and ensure they are updated. This is not a vulnerability to defer.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41512 - ai-scanner JavaScript Injection via PlaywrightService
title: CVE-2026-41512 - ai-scanner JavaScript Injection via PlaywrightService
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-41512 by identifying POST requests to '/api/v1/scan' endpoints that contain 'javascript:' within the URI query parameters, indicating a potential JavaScript injection attempt targeting the BrowserAutomation::PlaywrightService in ai-scanner.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41512/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/scan'
cs-uri-query|contains:
- 'javascript:'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41512 | RCE | ai-scanner versions 1.0.0 to 1.4.0 |
| CVE-2026-41512 | Code Injection | ai-scanner via JavaScript injection |
| CVE-2026-41512 | RCE | ai-scanner vulnerable component: BrowserAutomation::PlaywrightService |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...