CVE-2026-7593

CVE-2026-7593 affects Sunwood-ai-labs command-executor-mcp-server up to 0.1.0. The vulnerability resides in the MCP Interface’s function execute_command (src/index.ts), enabling an attacker to perform OS command injection . Remote exploitation is possible, with public disclosures already availabl...

Incorrect Authorization

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Incorrect Authorization via the executecommand call. An attacker can access sensitive environment variables and exfiltrate confidential...

Exposure of Sensitive Information Through Environmental Variables

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

GHSA-V8G7-9Q6V-P3X8 PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool

Summary The executecommand function in shelltools.py calls os.path.expandvars on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False line 88 for security. This allows exfiltration of secrets stored in environment variabl...

CVE-2025-61492

A command injection vulnerability in the executecommand function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input...