CRITICAL9.9CVE-2026-47392PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode) from 0, < 4.6.40
CRITICAL9.8CVE-2026-47391PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution from 0, < 4.6.40
CRITICAL9.8CVE-2026-47393PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default from 0, < 4.6.40
CRITICAL9.8PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset
from 0, < 4.6.40
CRITICAL9.8PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
from 0, < 4.5.149
CRITICAL9.8PraisonAI has critical RCE via `type: job` workflow YAML
from 0, < 4.5.139
CRITICAL9.8PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
from 0, < 4.5.115
CRITICAL9.8PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`
from 0, < 4.5.90
CRITICAL9.8PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
>= 4.5.15, < 4.5.69
CRITICAL9.6PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection
from 0, < 4.6.34
CRITICAL9.6PraisonAI Vulnerable to OS Command Injection
from 0, < 4.5.121
CRITICAL9.3PraisonAI Vulnerable Untrusted Remote Template Code Execution
from 0, < 4.5.128
CRITICAL9.1PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
from 0, < 4.5.139
CRITICAL9.1PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
from 0, < 4.5.97
CRITICAL9.1PraisonAI Has Missing Authentication in WebSocket Gateway
from 0, < 4.5.97
CRITICAL9.0PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
from 0, < 4.5.113
HIGH8.8PraisonAI has Template Injection in Agent Tool Definitions
from 0, < 4.5.115
HIGH8.8PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
from 0, < 4.5.97
HIGH8.6PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
from 0, < 4.6.37
HIGH8.6PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure
from 0, < 4.5.128
HIGH8.4PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
>= 4.5.139, < 4.6.32
HIGH8.4PraisonAI Vulnerable to RCE via Automatic tools.py Import
from 0, < 4.5.139
HIGH8.4PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars
from 0, < 4.5.128
HIGH8.1PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
from 0, < 4.6.40
HIGH8.1PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
from 0, < 4.5.149
HIGH8.1PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction
from 0, < 4.5.113
HIGH7.9PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
from 0, < 4.5.128
HIGH7.8PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
from 0, < 4.5.128
HIGH7.7PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback
from 0, < 4.5.90
HIGH7.5PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
from 0, < 4.6.37
HIGH7.5PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
from 0, < 4.5.128
HIGH7.5PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
from 0, < 4.5.115
HIGH7.3PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
>= 2.5.6, < 4.6.34
HIGH7.3PraisonAI recipe registry pull path traversal writes files outside the chosen output directory
from 0, < 4.5.113
HIGH7.2PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
from 0, < 4.5.128
HIGH7.1PraisonAI recipe registry publish path traversal allows out-of-root file write
from 0, < 4.5.113
MEDIUM6.5PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
from 0, < 4.5.128
MEDIUM6.5PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
from 0, < 4.5.90
MEDIUM6.3PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries
>= 2.4.1, < 4.6.34
MEDIUM6.2PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS
from 0, < 4.5.128
MEDIUM5.5PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
from 0, < 4.6.40
MEDIUM5.5PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
from 0, < 4.6.40
MEDIUM5.5PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution
from 0, < 4.5.128
MEDIUM5.4PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
from 0, < 4.5.128
MEDIUM5.3PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
from 0, < 4.5.128
—PraisonAI has an Arbitrary File Write in Python API
from 0, < 4.6.40
—PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
from 0, < 4.6.40
—PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
from 0, < 4.5.133
—PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
>= 2.7.2, < 4.5.128
—PraisonAI Has Path Traversal in FileTools
from 0, < 1.5.113