PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

Summary praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An...

CVE-2026-40160

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

EUVD-2026-21170

PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in webcrawl Tool...

Missing Authorization

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Missing Authorization via the readskillfile function. An attacker can access sensitive files on the filesystem by supplying arbitrary paths ...

CVE-2026-40160

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

CVE-2026-40160

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

CVE-2026-40150

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the webcrawl function in praisonaiagents/tools/webcrawltools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. Thi...

CVE-2026-40111

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell...

CVE-2026-40117 PraisonAIAgents Affected by Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, readskillfile in skilltools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skillpath parameter. Unlike filetools.readfile which enforces workspace boundary confinement, and unlike runskillscript...

PT-2026-31786

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read skill file in skill tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill path parameter. Unlike file tools.read file which enforces workspace boundary confinement, and unlike run skill...

CVE-2026-39888

PraisonAI’s PraisonAIAgents contain a sandbox escape in execute_code() (subprocess mode) prior to version 1.5.115. The subprocess wrapper blocks only a subset of attributes, and the missing frame-traversal attributes (traceback , tb_frame, f_back, f_builtins) can be chained via a caught exception...

Deserialization of Untrusted Data

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the YAML deserialization in the loadAgentFromFile function. An attacker can execute arbitrary code...

GHSA-44C2-3RW4-5GVH PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL

Summary FileTools.downloadfile in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream with followredirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata...