Choseogyeong

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.5.133 **Description** An SQL identifier injection exists in SQLiteConversationStore where the `table prefix` configuration value is directly concatenated into SQL queries using f-strings without validation or sanitization. Because SQL identifiers cannot be safely parameterized, an attacker who can influence the `table prefix` value through configuration inputs such as `from yaml` or `from dict` can inject arbitrary SQL fragments. This allows for the alteration of query structures, enabling unauthorized data access, such as reading internal SQLite tables like `sqlite master`, and the manipulation of query results through techniques like UNION-based injection. The issue originates in `config.py`, propagates through `factory.py` via the `create stores from config` function, and reaches the sink in `sqlite.py`. **Recommendations** Update to version 4.5.133.

**Name of the Vulnerable Software and Affected Versions** njzjz/wenxian (affected versions not specified) **Description** A command injection flaw exists in a GitHub Actions workflow due to the direct use of untrusted user input from `issue comment.body` within a shell command. The workflow is triggered by `issue comment`, which is controllable by external users. The vulnerable step interpolates the value of `github.event.comment.body` directly into a shell command without sanitization, creating a command injection risk. Specifically, the following command is vulnerable: `echo identifiers=$(echo "${{ github.event.comment.body }}" | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs) >> $GITHUB OUTPUT`. The extracted value is also reused in another step, potentially propagating unsafe content. A proof of concept demonstrates that an attacker can inject arbitrary shell commands via issue comments, such as using the payload `@njzjz-bot paper123" ) ; whoami ; #`. Successful injection allows for the execution of arbitrary commands in the GitHub Actions runner, potentially leading to access to the `GITHUB TOKEN`, exfiltration of repository data, and compromise of the CI/CD pipeline. **Recommendations** Avoid directly interpolating untrusted user input into shell commands. Instead, pass `github.event.comment.body` through an environment variable and reference it safely within the script.