PT-2026-57196 · Praisonai · Praisonai
Anushkavirgaonkar
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-61444
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PraisonAI versions prior to 4.6.78
Description
A code injection issue exists in the
deploy/api.py file. The agents file parameter is directly interpolated into an f-string without proper sanitization. This interpolated string is used to generate server code that is subsequently executed via the subprocess.Popen() function. An authorized user with access to the deploy API can exploit this to inject and execute arbitrary Python code within the context of the deployment process.Recommendations
Update PraisonAI to version 4.6.78.
Avoid using the
agents file parameter in the deploy/api.py endpoint until the update is applied.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai