Critical CVE in MS-Agent AI Framework Allows Full System Compromise via Agent Hijacking
A critical vulnerability in ModelScope’s MS-Agent framework — now officially tracked as CVE-2026-2256 — allows an attacker to achieve full system compromise through code injection via an AI agent’s prompt pipeline. If you’re running MS-Agent v1.6.0rc1 or earlier in any deployment, this is a drop-everything patch situation. The vulnerability was disclosed today by multiple security outlets, with full CVE record details confirmed by SecurityWeek, GBHackers, CyberPress, and OffSeq Threat Radar. ...