CVE-2026-40150
- EPSS 0.27%
- Veröffentlicht 09.04.2026 22:16:35
- Zuletzt bearbeitet 24.04.2026 14:53:03
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or pri...
CVE-2026-40111
- EPSS 0.23%
- Veröffentlicht 09.04.2026 22:16:34
- Zuletzt bearbeitet 17.04.2026 19:40:24
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py....
CVE-2026-34937
- EPSS 0.55%
- Veröffentlicht 03.04.2026 23:17:06
- Zuletzt bearbeitet 14.04.2026 18:09:51
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escapi...
- EPSS 0.71%
- Veröffentlicht 03.04.2026 23:17:06
- Zuletzt bearbeitet 14.04.2026 18:07:19
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() met...
CVE-2026-34954
- EPSS 0.41%
- Veröffentlicht 03.04.2026 23:17:06
- Zuletzt bearbeitet 13.04.2026 18:46:18
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects...