3 matches found
PYSEC-2026-484 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
Summary executecode in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith method to the safegetattr wrapper, achieving arbitrary OS command execution on the host. Details pythontools.py:2...
GHSA-3C4R-6P77-XWR7 PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure
PraisonAI's AST-based Python sandbox can be bypassed using type.getattribute trampoline, allowing arbitrary code execution when running untrusted agent code. Description The executecodedirect function in praisonaiagents/tools/pythontools.py uses AST filtering to block dangerous Python attributes...
CVE-2026-34955
PraisonAI's SubprocessSandbox is vulnerable prior to version 4.5.97: it uses subprocess.run() with shell=True in all modes and blocks commands only by string-pattern matching, not recognizing sh/bash as standalone executables. This enables sandbox escape in STRICT mode via sh -c '' (and related b...