PYSEC-2026-470 PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`
Summary The getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, the injected payload executes and grants full database...