PyPI / praisonai

PraisonAI Vulnerable to OS Command Injection

Modified: 4/10/2026

PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading

Modified: 4/10/2026

PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS

Modified: 4/10/2026

PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading

Modified: 4/9/2026

PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

Modified: 5/11/2026

PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure

Modified: 4/10/2026

PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)

Modified: 5/29/2026

PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction

Modified: 4/7/2026

PraisonAI recipe registry pull path traversal writes files outside the chosen output directory

Modified: 4/7/2026

PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls

Modified: 4/10/2026

PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

Modified: 5/29/2026

PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context

Modified: 5/29/2026

PraisonAI Has Path Traversal in FileTools

Modified: 4/7/2026

PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Modified: 5/11/2026

PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334

Modified: 5/29/2026

PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default

Modified: 5/29/2026

PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset

Modified: 5/29/2026

PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API

Modified: 4/10/2026

PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()

Modified: 4/6/2026

PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions

Modified: 4/14/2026

PraisonAI Has Authentication Bypass via OAuthManager.validate_token()

Modified: 4/6/2026

PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`

Modified: 4/10/2026

PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`

Modified: 4/6/2026

PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate

Modified: 5/29/2026

PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

Modified: 4/6/2026

PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Modified: 5/11/2026

PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Modified: 5/11/2026

PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection

Modified: 5/12/2026

PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

Modified: 4/10/2026

PraisonAI Has Missing Authentication in WebSocket Gateway

Modified: 4/6/2026

PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server

Modified: 4/9/2026

PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

Modified: 4/10/2026

PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars

Modified: 4/10/2026

PraisonAI Vulnerable to RCE via Automatic tools.py Import

Modified: 4/14/2026

PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

Modified: 5/11/2026

PraisonAI has an Arbitrary File Write in Python API

Modified: 5/29/2026

PraisonAI has Template Injection in Agent Tool Definitions

Modified: 4/9/2026

PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator

Modified: 4/7/2026

PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution

Modified: 4/10/2026

PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

Modified: 4/10/2026

PraisonAI Vulnerable Untrusted Remote Template Code Execution

Modified: 4/10/2026

PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Modified: 4/10/2026

PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution

Modified: 4/10/2026

PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox

Modified: 4/6/2026

PraisonAI recipe registry publish path traversal allows out-of-root file write

Modified: 4/7/2026

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

Modified: 5/12/2026

PraisonAI has critical RCE via `type: job` workflow YAML

Modified: 4/14/2026

PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution

Modified: 5/29/2026

PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

Modified: 4/6/2026

PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries

Modified: 4/14/2026

PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)

Modified: 5/12/2026