pkg:PyPI/praisonaiagents

All known vulnerabilities

• CRITICAL10.0CVE-2026-34938PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
  from 0, < 1.5.90
• CRITICAL9.9CVE-2026-47392PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
  from 0, < 1.6.40
• CRITICAL9.9CVE-2026-39888PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
  from 0, < 1.5.115
• CRITICAL9.8PraisonAI has an SSRF bypass
  from 0, < 1.6.32
• CRITICAL9.8PraisonAI has critical RCE via `type: job` workflow YAML
  from 0, < 1.5.140
• CRITICAL9.1PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
  from 0, < 1.5.140
• HIGH8.6PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
  from 0, < 1.6.37
• HIGH8.6PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
  from 0, < 1.5.95
• HIGH8.4PraisonAI Vulnerable to RCE via Automatic tools.py Import
  from 0, < 1.5.140
• HIGH8.1PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
  from 0, < 1.6.8
• HIGH7.8PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
  from 0, < 1.5.90
• HIGH7.7PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool
  from 0, < 1.5.128
• HIGH7.4PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
  from 0, < 1.5.128
• MEDIUM6.2PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
  from 0, < 1.5.128
• MEDIUM5.5PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
  from 0, < 1.6.40
• MEDIUM5.5PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
  from 0, < 1.6.40
• MEDIUM5.3PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
  from 0, < 1.5.128
• —PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback
  >= 0.13.23, < 1.5.128
• —PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
  from 0, < 1.5.128