ГлавнаяУязвимости → CVE-2026-61444
9.1критическая

CVE-2026-61444

Описание

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().

CVSS
Балл9.1 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Источники
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g6j7-pffp-8whghttps://www.vulncheck.com/advisories/praisonai-before-code-injection-via-f-stringhttps://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g6j7-pffp-8whg