| CVE-2026-41497 |
critical |
9.8 |
9.8 |
20d ago |
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection |
|
| CVE-2026-44336 |
critical |
9.6 |
9.6 |
20d ago |
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection |
|
| CVE-2026-39890 |
critical |
— |
9.5 |
2mo ago |
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading |
|
| CVE-2026-44339 |
high |
8.6 |
8.6 |
20d ago |
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute |
|
| CVE-2026-44334 |
high |
8.4 |
8.4 |
20d ago |
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass) |
|
| CVE-2026-41496 |
high |
8.1 |
8.1 |
20d ago |
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315) |
|
| CVE-2026-44340 |
high |
7.5 |
7.5 |
20d ago |
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` |
|
| CVE-2026-44338 |
high |
7.3 |
7.3 |
17d ago |
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution |
|
| CVE-2026-44337 |
medium |
6.3 |
6.3 |
17d ago |
PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries |
|
| CVE-2026-40289 |
unknown |
— |
— |
2mo ago |
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions |
|
| CVE-2026-40288 |
unknown |
— |
— |
2mo ago |
PraisonAI has critical RCE via `type: job` workflow YAML |
|
| CVE-2026-40287 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to RCE via Automatic tools.py Import |
|
| CVE-2026-40315 |
unknown |
— |
— |
2mo ago |
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries |
|
| CVE-2026-40114 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API |
|
| CVE-2026-40159 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution |
|
| CVE-2026-40157 |
unknown |
— |
— |
2mo ago |
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack` |
|
| CVE-2026-40156 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading |
|
| CVE-2026-40148 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits |
|
| CVE-2026-40154 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable Untrusted Remote Template Code Execution |
|
| CVE-2026-40158 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure |
|
| CVE-2026-40151 |
unknown |
— |
— |
2mo ago |
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS |
|
| CVE-2026-40149 |
unknown |
— |
— |
2mo ago |
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls |
|
| CVE-2026-40115 |
unknown |
— |
— |
2mo ago |
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS |
|
| CVE-2026-40116 |
unknown |
— |
— |
2mo ago |
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits |
|
| CVE-2026-40113 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars |
|
| CVE-2026-40112 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency) |
|
| CVE-2026-40088 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to OS Command Injection |
|
| CVE-2026-39891 |
unknown |
— |
— |
2mo ago |
PraisonAI has Template Injection in Agent Tool Definitions |
|
| CVE-2026-39889 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server |
|
| CVE-2026-35615 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Path Traversal in FileTools |
|
| CVE-2026-39308 |
unknown |
— |
— |
2mo ago |
PraisonAI recipe registry publish path traversal allows out-of-root file write |
|
| CVE-2026-39306 |
unknown |
— |
— |
2mo ago |
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory |
|
| CVE-2026-39305 |
unknown |
— |
— |
2mo ago |
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator |
|
| CVE-2026-39307 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction |
|
| CVE-2026-34953 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Authentication Bypass via OAuthManager.validate_token() |
|
| CVE-2026-34952 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Missing Authentication in WebSocket Gateway |
|
| CVE-2026-34955 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox |
|
| CVE-2026-34936 |
unknown |
— |
— |
2mo ago |
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback |
|
| CVE-2026-34939 |
unknown |
— |
— |
2mo ago |
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() |
|
| CVE-2026-34934 |
unknown |
— |
— |
2mo ago |
PraisonAI Has Second-Order SQL Injection in `get_all_user_threads` |
|
| CVE-2026-34935 |
unknown |
— |
— |
2mo ago |
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() |
|