PT-2026-60140 · Mervinpraison · Praisonai

Chakrapani150

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-61438

CVSS v3.1

7.3

High

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor. exec inline python() due to insufficient AST validation of workflow script steps. Attackers can create malicious YAML workflow files with import os statements followed by os.system() calls that bypass sandbox checks and execute arbitrary OS commands with process privileges.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61438

Affected Products

Praisonai