GHSA-VC46-VW85-3WVM PraisonAI has critical RCE via `type: job` workflow YAML

praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py. This supports: - run: → shell command execution via subprocess.run - script: → inline Python execution via exec - python: → arbitrary Python script execution A malicious YAML...

PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution

Summary The Chainlit UI modules chat.py and code.py hardcode config.approvalmode = "auto" after loading administrator configuration from the PRAISONAPPROVALMODE environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop approval gate fo...

GHSA-QWGJ-RRPJ-75XM PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution

Summary The Chainlit UI modules chat.py and code.py hardcode config.approvalmode = "auto" after loading administrator configuration from the PRAISONAPPROVALMODE environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop approval gate fo...

EUVD-2026-21524

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move function in fileManage.lib.php passes user-controlled path values directly into exec shell commands without using...

CVE-2026-40111

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell...

CVE-2026-21915

The CVE describes a vulnerability in Juniper Networks’ JSI Virtual Lightweight Collector (vLWC). A Permissive List of Allowed Input in the CLI enables local, high-privilege attackers to inject shell commands that run with root permissions, potentially yielding full system control. Affected: all J...

CVE-2026-40111

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell...

CVE-2026-40088

PraisonAI is a multi-agent teams system. Prior to 4.5.121, the executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell...

EUVD-2026-21064

PraisonAI is a multi-agent teams system. Prior to 4.5.121, the executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell...

CVE-2026-40088

PraxionAI (PraisonAI) is vulnerable to OS command injection prior to version 4.5.121. The execute_command function and workflow shell execution accept user-controlled input through YAML workflows, agent configurations, and LLM-generated tool calls, passing commands with shell=True to subprocess.r...

PT-2026-31744

A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights JSI Virtual Lightweight Collector vLWC allows a local, high privileged attacker to escalate their privileges to root. The CLI menu accepts input without carefully validating it, which allows for shell...

CVE-2026-40030 parseusbs < 1.9 Command Injection via Volume Path Argument

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument -v flag is passed unsanitized into an os.popen shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can...

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Summary The Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters ;, |, $, , , , etc. to pass through into...

EUVD-2026-19730

Emissary has a Command Injection via PLACENAME Configuration in Executrix...

CVE-2026-35022

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell...

CVE-2026-35581 Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...

CVE-2026-35581 Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...

CVE-2026-34940

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript function in internal/modelcontroller/engineollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components ref, modelParam. This shell command is executed via bash ...

CVE-2026-34937

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, runpython in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run..., shell=True. The escaping logic only handles \ and ", leaving $ and backtick...

actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow

Summary External input from github.event.issue.title is used unsafely in a shell command in .github/workflows/release-candidate.yaml, allowing command injection during workflow execution. Details In .github/workflows/release-candidate.yaml, the issue title is interpolated directly into a shell...