Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-44972 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.
The finding formatter stores file paths and snippets from scanned content:
location = file_path + ":" + str(start_line)
finding = {
"location": location,
"code": code,
"message": result["extra"]["message"],
}
The human-readable reporter later prints these values directly:
" * " + finding["message"] + " at " + finding["location"] + "\n " + _format_code_line_for_output(finding["code"])
No escaping is applied for control characters such as \x1b. A malicious package can therefore ship a filename like:
evil\x1b[2J.py
or matched source lines containing terminal escapes, which survive into the final CLI output.
\x1b[2J.Analyzer._format_semgrep_response().HumanReadableReporter.print_scan_results().guarddog/analyzer/analyzer.py:377-392guarddog/reporters/human_readable.py:36-42guarddog/reporters/human_readable.py:84-91This can be used to:
As of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.
Escape or strip terminal control characters before rendering any attacker-controlled value in human-readable output. This should cover package names, file paths, messages, and code snippets.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.