{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/web-crawling/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI \u003c= 4.6.37"],"_cs_severities":["high"],"_cs_tags":["arbitrary file write","web crawling","data exfiltration"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI versions up to 4.6.37 are susceptible to an arbitrary file write vulnerability (CVE-2026-47397) within its Python API. This flaw stems from the \u003ccode\u003ewrite_file\u003c/code\u003e function\u0026rsquo;s lack of path validation when the \u003ccode\u003eworkspace\u003c/code\u003e parameter is set to \u003ccode\u003eNone\u003c/code\u003e, a default configuration in production environments. An attacker can exploit this by hosting a webpage containing hidden metadata that specifies an arbitrary file path and content. When a victim\u0026rsquo;s PraisonAI agent crawls and analyzes this webpage, it autonomously calls the \u003ccode\u003ewrite_file\u003c/code\u003e function, writing the attacker-controlled content to the specified path on the victim\u0026rsquo;s system. This vulnerability allows attackers to bypass injection defenses and LLM safety measures, as the agent performs normal operations triggered by the malicious metadata.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious webpage containing hidden metadata within a \u003ccode\u003e\u0026lt;span\u0026gt;\u003c/code\u003e element, defining the \u003ccode\u003eoutput_file\u003c/code\u003e and \u003ccode\u003eoutput_content\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eA victim uses the PraisonAI Python API to initiate a web crawling task, targeting the attacker\u0026rsquo;s malicious webpage using the \u003ccode\u003eweb_crawl\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI agent crawls the attacker-controlled webpage using the \u003ccode\u003eweb_crawl\u003c/code\u003e tool, extracting the hidden metadata.\u003c/li\u003e\n\u003cli\u003eThe agent parses the extracted metadata and identifies the \u003ccode\u003eoutput_file\u003c/code\u003e parameter, which specifies the arbitrary file path.\u003c/li\u003e\n\u003cli\u003eThe agent, as part of its normal operation, autonomously calls the \u003ccode\u003ewrite_file\u003c/code\u003e function to write the extracted content to a file.\u003c/li\u003e\n\u003cli\u003eBecause \u003ccode\u003eworkspace\u003c/code\u003e is \u003ccode\u003eNone\u003c/code\u003e, path validation is skipped in \u003ccode\u003ecode/tools/write_file.py:77-83\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewrite_file\u003c/code\u003e function writes the content defined by the \u003ccode\u003eoutput_content\u003c/code\u003e parameter to the file path specified by \u003ccode\u003eoutput_file\u003c/code\u003e on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file write on the victim\u0026rsquo;s system, potentially leading to code execution or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to write arbitrary files to the victim\u0026rsquo;s system. This can lead to various malicious outcomes, including overwriting critical system files, injecting malicious code, or exfiltrating sensitive information. The vulnerability affects any user of PraisonAI who processes attacker-controlled webpages using the \u003ccode\u003eweb_crawl\u003c/code\u003e tool, potentially impacting a wide range of users and applications that rely on PraisonAI for automated web analysis.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to a version later than 4.6.37 to incorporate the fix for CVE-2026-47397.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Arbitrary File Write via Web Crawl\u0026rdquo; to detect exploitation attempts by monitoring for calls to the \u003ccode\u003ewrite_file\u003c/code\u003e function with attacker-controlled paths.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization measures to prevent malicious metadata injection into web pages processed by PraisonAI agents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T22:33:10Z","date_published":"2026-05-29T22:33:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-file-write/","summary":"PraisonAI versions 4.6.37 and earlier are vulnerable to arbitrary file write due to missing path validation in the `write_file` function when `workspace=None`, allowing an attacker to write attacker-controlled content to arbitrary file paths on the victim's system via a malicious webpage.","title":"PraisonAI Arbitrary File Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Web Crawling","version":"https://jsonfeed.org/version/1.1"}