When prompts become shells: RCE vulnerabilities in AI agent frameworks

This report details the discovery and responsible disclosure of two critical vulnerabilities in Microsoft Semantic Kernel—an eval-based filter injection in the In-Memory Vector Store (CVE-2026-26030) enabling host RCE via crafted prompts, and an exposed file-download tool in SessionsPythonPlugin (CVE-2026-25592) enabling arbitrary host file writes and sandbox escape. The authors describe exploitation chains, provide proof-of-concept behavior (including spawning calc.exe), recommend immediate upgrades and defense-in-depth mitigations, and supply hunting queries and remediation guidance to detect and respond to potential compromises.