CVE-2026-47392
published 2026-05-30CVE-2026-47392: A vulnerability described as critical has been identified in MervinPraison PraisonAI. Affected by this vulnerability is the function execute_code. Such…
critical10
A vulnerability described as critical has been identified in MervinPraison PraisonAI. Affected by this vulnerability is the function execute_code. Such manipulation leads to sandbox issue.
This vulnerability is referenced as CVE-2026-47392. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.40 | 1.6.40 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MervinPraison PraisonAI execute_code sandbox
vuldb·2026-05-30
CVE-2026-47392 [CRITICAL] MervinPraison PraisonAI execute_code sandbox
A vulnerability described as critical has been identified in MervinPraison PraisonAI. Affected by this vulnerability is the function execute_code. Such manipulation leads to sandbox issue.
This vulnerability is referenced as CVE-2026-47392. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
GHSA
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
ghsa·2026-05-29·CVSS 10.0
CVE-2026-47392 [CRITICAL] CWE-184 PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
## Summary
`execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be extracted via `vars()` and runtime string construction. This achieves arbitrary OS command execution on the host, completely defeating the sandbox.
This is a **novel bypass** that survives all patches for CVE-2026-39888 (frame traversal), CVE-2026-34938 (str subclass), and CVE-2026-40158 (`type.__getattribute__` trampoline).
---
## Severity
**CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.9 Critical**
---
## Root Cause
Three independent ga
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-30
Published