ГлавнаяУязвимости → CVE-2026-34935
9.8критическая

CVE-2026-34935

Описание

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.

Затрагиваемое ПО
Praison Praisonai
CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368chttps://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m