Product
PraisonAI versions before 4.6.78 contain an unauthenticated server-side request forgery (SSRF) vulnerability, CVE-2026-60091, in the Jobs API `/api/v1/runs` endpoint via the `webhook_url` parameter, allowing attackers to exploit DNS rebinding to access internal services.