Lucene search
+L

31 matches found

Vulnrichment
Vulnrichment
added 2026/04/09 9:22 p.m.4 views

CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

6.5CVSS5.8AI score0.00243EPSS
Exploits1References1
OSV
OSV
added 2026/04/09 9:22 p.m.2 views

CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

6.5CVSS6AI score0.00243EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/09 9:19 p.m.3 views

CVE-2026-40115 PraisonAI has an Unrestricted Upload Size in WSGI Recipe Registry Server Enables Memory Exhaustion DoS

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...

6.2CVSS5.8AI score0.00334EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/09 9:18 p.m.3 views

CVE-2026-40114 PraisonAI has Server-Side Request Forgery via Unvalidated webhook_url in Jobs API

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An...

7.2CVSS6AI score0.0028EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/09 9:18 p.m.41 views

CVE-2026-40114 PraisonAI has Server-Side Request Forgery via Unvalidated webhook_url in Jobs API

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An...

7.2CVSS0.0028EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/09 9:17 p.m.2 views

CVE-2026-40113 PraisonAI has an Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openaimodel, openaikey, and openaibase without validating that these values do not contain commas. gcloud use...

8.4CVSS5.9AI score0.00231EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/09 9:16 p.m.20 views

CVE-2026-40112 PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The sanitizehtml function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml...

5.4CVSS0.00216EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.5 views

PT-2026-31782

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128 Description PraisonAI is a multi-agent teams system. The deploy.py script constructs a comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai model, openai...

8.4CVSS6.2AI score0.00231EPSS
Exploits1References12
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.12 views

PT-2026-31785

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128 Description PraisonAI is a multi-agent teams system. The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation...

7.5CVSS6.1AI score0.00372EPSS
Exploits1References13
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.10 views

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained security vulnerabilities. These vulnerabilities stemmed from the safeextractall function not checking the size, cumulative size, or quantity of archived files...

6.5CVSS5.8AI score0.00243EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.7 views

PT-2026-31810

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128 Description PraisonAI is a multi-agent teams system. Prior to version 4.5.128, the software treats remotely fetched template files as trusted executable code without performing integrity verification, origin...

9.6CVSS5.8AI score0.00304EPSS
Exploits1References14
Rows per page
Query Builder