Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

PraisonAI — Vulnerabilities & Security Advisories 46

All 46 CVE vulnerabilities found in PraisonAI, with AI-generated Chinese analysis, references, and POCs.

Vendor: MervinPraison

CVE IDTitleCVSSSeverityPublished
CVE-2026-39889 PraisonAI has Unauthenticated SSE Event Stream Exposes All Agent Activity in A2U Server CWE-200 7.5 High2026-04-08
CVE-2026-39307 PraisonAI has an Arbitrary File Write (Zip Slip) in Templates Extraction CWE-22 8.1 High2026-04-07
CVE-2026-39308 PraisonAI recipe registry publish path traversal allows out-of-root file write CWE-22 7.1 High2026-04-07
CVE-2026-39306 PraisonAI recipe registry pull path traversal writes files outside the chosen output directory CWE-22 7.3 High2026-04-07
CVE-2026-39305 Arbitrary File Write / Path Traversal in Action Orchestrator CWE-22 9.0 Critical2026-04-07
CVE-2026-35615 PraisonAI has a Path Traversal in FileTools CWE-22 8.1AIHighAI2026-04-07
CVE-2026-34955 PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox CWE-78 8.8 High2026-04-03
CVE-2026-34954 PraisonAI: SSRF in FileTools.download_file() via Unvalidated URL CWE-918 8.6 High2026-04-03
CVE-2026-34953 PraisonAI: Authentication Bypass in OAuthManager.validate_token() CWE-863 9.1 Critical2026-04-03
CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway CWE-306 9.1 Critical2026-04-03
CVE-2026-34939 PraisonAI: ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() CWE-1333 6.5 Medium2026-04-03
CVE-2026-34938 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code CWE-693 10.0 Critical2026-04-03
CVE-2026-34937 PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution CWE-78 7.8 High2026-04-03
CVE-2026-34936 PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback CWE-918 7.7 High2026-04-03
CVE-2026-34934 PraisonAI: Second-Order SQL Injection in `get_all_user_threads` CWE-89 9.8 Critical2026-04-03
CVE-2026-34935 PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() CWE-78 9.8 Critical2026-04-03

All 46 known CVE vulnerabilities affecting PraisonAI with full Chinese analysis, references, and POCs where available.