VYPR

PyPI package

praisonaiagents

pkg:pypi/praisonaiagents

Vulnerabilities (16)

  • CVE-2026-44339HigMay 8, 2026
    affected < 1.6.37fixed 1.6.37

    PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agen

  • CVE-2026-44335CriMay 8, 2026
    affected < 1.6.32fixed 1.6.32

    PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32.

  • CVE-2026-41496HigMay 8, 2026
    affected < 1.6.8fixed 1.6.8

    PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleS

  • CVE-2026-40289CriApr 14, 2026
    affected < 1.5.140fixed 1.5.140

    PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on it

  • CVE-2026-40288CriApr 14, 2026
    affected < 1.5.140fixed 1.5.140

    PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with t

  • CVE-2026-40287HigApr 14, 2026
    affected < 1.5.140fixed 1.5.140

    PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_

  • CVE-2026-40160MedApr 10, 2026
    affected >= 0.13.23, < 1.5.128fixed 1.5.128

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud met

  • CVE-2026-40153HigApr 9, 2026
    affected < 1.5.128fixed 1.5.128

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88)

  • CVE-2026-40152MedApr 9, 2026
    affected < 1.5.128fixed 1.5.128

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's

  • CVE-2026-40150HigApr 9, 2026
    affected < 1.5.128fixed 1.5.128

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applie

  • CVE-2026-40117MedApr 9, 2026
    affected < 1.5.128fixed 1.5.128

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, an

  • CVE-2026-40111HigApr 9, 2026
    affected < 1.5.128fixed 1.5.128

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed

  • CVE-2026-39888CriApr 8, 2026
    affected < 1.5.115fixed 1.5.115

    PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embed

  • CVE-2026-34954HigApr 3, 2026
    affected < 1.5.95fixed 1.5.95

    PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who control

  • CVE-2026-34938CriApr 3, 2026
    affected < 1.5.90fixed 1.5.90

    PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapp

  • CVE-2026-34937HigApr 3, 2026
    affected < 1.5.90fixed 1.5.90

    PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ",