cbcvebase.

Mervinpraison Praisonai vulnerabilities

53 known vulnerabilities affecting mervinpraison/praisonai.

Total CVEs
53
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL22HIGH24MEDIUM7

Vulnerabilities

Page 3 of 3
CVE-2026-44337P3MEDIUMCVSS 6.3v>= 2.4.1, < 4.6.342026-05-08
CVE-2026-44337 [MEDIUM] CWE-20 CVE-2026-44337: PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI expo PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. T
ghsanvd
CVE-2026-40148P4MEDIUMCVSS 6.5fixed in 4.5.1282026-04-09
CVE-2026-40148 [MEDIUM] CWE-409 CVE-2026-40148: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in Praiso PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bu
ghsanvd
CVE-2026-40112P4MEDIUMCVSS 6.1fixed in 4.5.1282026-04-09
CVE-2026-40112 [MEDIUM] CWE-79 CVE-2026-40112: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/a PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the san
ghsanvd
CVE-2026-40159P4MEDIUMCVSS 5.5fixed in 4.5.1282026-04-10
CVE-2026-40159 [MEDIUM] CWE-200 CVE-2026-40159: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire par
ghsanvd
CVE-2026-47392CRITICALCVSS 10.0≥ 0, < 4.6.402026-05-29
CVE-2026-47392 [CRITICAL] CWE-184 PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode) PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode) ## Summary `execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be e
ghsa
CVE-2026-47394CRITICALCVSS 9.4≥ 0, < 4.6.402026-05-29
CVE-2026-47394 [CRITICAL] CWE-200 PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate ## Summary The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`: > "registers four file-handling tools by default
ghsa
CVE-2026-47398HIGHCVSS 7.8≥ 0, < 4.6.402026-05-29
CVE-2026-47398 [HIGH] CWE-829 PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334 PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334 Arbitrary code execution via ungated spec.loader.exec_module in agents_generator.py (v4.6.32 chokepoint refactor bypass) Summary The v4.6.32 chokepoint refactor (which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjh
ghsa
CVE-2026-47393HIGHCVSS 7.3≥ 0, < 4.6.402026-05-29
CVE-2026-47393 [HIGH] CWE-1188 PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default ### Summary CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (`praisonai.deploy.api.generate_api_server_code`) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (`praisonai deploy --typ
ghsa
CVE-2026-47396CRITICAL≥ 0, < 4.6.402026-05-29
CVE-2026-47396 [CRITICAL] CWE-284 PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset ### Summary PraisonAI's call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured. The affected component is the `praisonai.api.agent_invoke` router as mounted by `
ghsa
CVE-2026-47391CRITICAL≥ 0, < 4.6.402026-05-29
CVE-2026-47391 [CRITICAL] CWE-306 PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution ## Summary The first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain: 1. The example exposes an A2A server without configuring `auth_token`. 2. The same example binds the server to `0.0.0.0`. 3. The example reg
ghsa
CVE-2026-47397HIGH≥ 0, < 4.6.402026-05-29
CVE-2026-47397 [HIGH] CWE-22 PraisonAI has an Arbitrary File Write in Python API PraisonAI has an Arbitrary File Write in Python API # Bug Report: Arbitrary File Write in Python API ## Summary Hidden metadata in a webpage causes PraisonAI agents to write attacker-controlled content to arbitrary paths. `write_file` skips path validation when `workspace=None` (always `None` in production). ## Affected PraisonAI output_file: /tmp/flag.txt output_content: NSS{taint_style_xagent_pwned} save_outp
ghsa
CVE-2026-47390MEDIUM≥ 0, < 4.6.402026-05-29
CVE-2026-47390 [MEDIUM] CWE-918 PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings ### Summary PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings. The affected component is: ```text praisonaiagents/tools/spider_tools.py ```` The tool contains a URL validation function intended to block local or unsafe targets before fetching atta
ghsa
CVE-2026-47395MEDIUM≥ 0, < 4.6.402026-05-29
CVE-2026-47395 [MEDIUM] CWE-200 PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context ### Summary PraisonAI's direct-prompt CLI automatically expands `@url:` mentions in raw prompt text before agent execution begins. If a prompt contains `@url:`, the CLI calls `MentionsParser.process(...)`. The `@url:` handler then performs a
ghsa
Mervinpraison Praisonai vulnerabilities | cvebase