GHSA-qpq9-hwx9-cwgcHighCVSS 7.8
PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating...
🔗 CVE IDs covered (1)
📋 Description
PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters that execute when the generated server starts or handles requests.
🔗 References (5)
- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-79fv-7hq9-w7xg
- https://nvd.nist.gov/vuln/detail/CVE-2026-61433
- https://github.com/MervinPraison/PraisonAI/commit/1620b49f36945d8cc8ee5635b906c960df5097a0
- https://www.vulncheck.com/advisories/praisonai-before-code-injection-via-api-deployment-generator
- https://github.com/advisories/GHSA-qpq9-hwx9-cwgc