PT-2026-57196 · Praisonai · Praisonai

Anushkavirgaonkar

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-61444

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.6.78
Description A code injection issue exists in the deploy/api.py file. The agents file parameter is directly interpolated into an f-string without proper sanitization. This interpolated string is used to generate server code that is subsequently executed via the subprocess.Popen() function. An authorized user with access to the deploy API can exploit this to inject and execute arbitrary Python code within the context of the deployment process.
Recommendations Update PraisonAI to version 4.6.78. Avoid using the agents file parameter in the deploy/api.py endpoint until the update is applied.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61444

Affected Products

Praisonai