Praisonai

PraisonAI is vulnerable to SQL injection across nine database backends due to unsanitized `table_prefix` parameters, and in PostgreSQL due to an unsanitized `schema` parameter, enabling arbitrary SQL execution.

PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on the /ws WebSocket endpoint, enabling unauthorized remote control and data leakage.

PraisonAI versions 4.5.138 and below are vulnerable to arbitrary code execution due to the unsanitized import of a malicious tools.py file, leading to potential system compromise.

PraisonAI is vulnerable to remote code execution; loading untrusted YAML files with `type: job` can lead to arbitrary host command execution, potentially enabling full system compromise.

A vulnerability in PraisonAI allows authenticated users to execute arbitrary shell commands due to a hardcoded approval setting in the Chainlit UI modules, overriding administrator configurations and bypassing intended approval gates; insufficient command sanitization allows for destructive command execution, leading to confidentiality breach, integrity compromise, and availability impact on the server.

PraisonAI versions prior to 4.5.128 are vulnerable to Server-Side Request Forgery (SSRF) due to a lack of URL validation on the webhook_url parameter in the /api/v1/runs endpoint, allowing unauthenticated attackers to send arbitrary POST requests from the server.

PraisonAI versions prior to 4.5.121 are vulnerable to OS command injection, allowing attackers to execute arbitrary shell commands via user-controlled input in agent workflows, YAML definitions, and LLM-generated tool calls.

PraisonAI is vulnerable to OS command injection due to the use of `subprocess.run()` with `shell=True` on user-controlled inputs, allowing attackers to inject arbitrary shell commands and potentially leading to sensitive data exfiltration or system compromise in versions prior to 4.5.121.

PraisonAI versions prior to 1.5.90 are vulnerable to OS Command Injection (CVE-2026-34937) due to insufficient escaping in the run_python() function, allowing arbitrary OS command execution via shell interpolation.

PraisonAI's SubprocessSandbox allows attackers to bypass command restrictions due to the use of `shell=True` in `subprocess.run()` combined with an insufficient blocklist that does not include `sh` or `bash`, enabling command execution via `sh -c '<command>'`.

PraisonAI versions 4.5.89 and earlier are vulnerable to SSRF via the `api_base` parameter in the `passthrough()` function, allowing attackers to make requests to internal services or external hosts, potentially leading to IAM credential theft on cloud infrastructure or access to internal services within the VPC.