VYPR
Vendor

Praison

Products
3
CVEs
84
Across products
89
Status
Private

Products

3

Recent CVEs

84
View all 84 CVEs →
  • CVE-2026-34938CriApr 3, 2026
    risk 0.65cvss 10.0epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr…

  • CVE-2026-44335CriMay 8, 2026
    risk 0.64cvss 9.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32.

  • CVE-2026-39888CriApr 8, 2026
    risk 0.64cvss 9.9epss 0.01

    PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist…

  • CVE-2026-41497CriMay 8, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution…

  • CVE-2026-40315CriApr 14, 2026
    risk 0.57cvss 9.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization.…

  • CVE-2026-40288CriApr 14, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with…

  • CVE-2026-40111HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed…

  • CVE-2026-39890CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file…

  • CVE-2026-34935CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop,…

  • CVE-2026-34934CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application…

  • CVE-2026-34954HigApr 3, 2026
    risk 0.56cvss 8.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who…

  • CVE-2026-44336CriMay 8, 2026
    risk 0.55cvss 9.6epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and…

  • CVE-2026-40088CriApr 9, 2026
    risk 0.55cvss 9.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands…

  • CVE-2026-40154CriApr 9, 2026
    risk 0.53cvss 9.3epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This…

  • CVE-2026-47413criJun 1, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Privilege escalation / cross-tenant member injection. The `POST /workspaces/{workspace_id}/members` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`) and forwards the request body's `user_id` and `role`…

  • CVE-2026-47416criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` endpoint is gated by `require_workspace_member(workspace_id)`, which defaults to `min_role="member"` and is never overridden by the route. The handler then calls…

  • CVE-2026-47410criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV`…

  • CVE-2026-47407criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_id)` FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The…

  • CVE-2026-47391criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary The first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain: 1. The example exposes an A2A server without configuring `auth_token`. 2. The same example binds the server to `0.0.0.0`. 3. The example registers a…

  • CVE-2026-47392criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary `execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be extracted via `vars()` and runtime string…