PT-2026-60140 · Mervinpraison · Praisonai
Chakrapani150
·
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-61438
CVSS v3.1
7.3
High
| Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor. exec inline python() due to insufficient AST validation of workflow script steps. Attackers can create malicious YAML workflow files with import os statements followed by os.system() calls that bypass sandbox checks and execute arbitrary OS commands with process privileges.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai