CVE-2026-40112
PraisonAI (multi-agent system) is affected by a Stored XSS in the Flask API before version 4.5.128. The /src/praisonai/api.py endpoint renders agent output as HTML using a _sanitize_html routine that relies on the nh3 library, which is not declared as a required/optional dependency in pyproject.t...