pptx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Path Traversal (ZipSlip) vulnerability in
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.py. These scripts usezipfile.ZipFile.extractall()without validating archive member paths, allowing a malicious document to overwrite files outside the target directory using../sequences.\n- [REMOTE_CODE_EXECUTION] (LOW): External Command Execution inooxml/scripts/pack.py. The script executessofficeviasubprocess.runto validate document integrity. While arguments are passed as a list, this relies on an external binary to process untrusted data.\n- [DATA_EXFILTRATION] (LOW): Insecure XML Parsing inooxml/scripts/validation/docx.py. The script useslxml.etree.parse()without disabling external entities. This presents an XXE risk, as the parser might attempt to resolve and exfiltrate local file content or interact with internal network resources.
Recommendations
- AI detected serious security threats
Audit Metadata