9.6

CVE-2026-40154

Exploit

EPSS 0.03%
Veröffentlicht 09.04.2026 22:16:36
Zuletzt bearbeitet 15.04.2026 18:56:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Praison ≫ Praisonai Version < 4.5.128

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.089

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
security-advisories@github.com	9.3	2.8	5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pv9q-275h-rh7x

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-40154

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40154

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40154

EUVD