Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Agenta LLMOps Platform: API Server Template Injection Risk
CVE-2026-27961
Summary
A security issue affects self-hosted or managed Agenta deployments. If not updated, an attacker could potentially inject malicious code into the platform's API server. To fix, update to version 0.86.8 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| agentatech | agenta | <= 0.86.8 | – |
Original title
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the ...
Original description
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-1336
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026