Back to overview

CVE-2026-61430

HIGH Exploitation: PoC
8.5
CVSS 3.1
Description
PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the web_crawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. Attackers can use DNS rebinding to bypass SSRF protection and retrieve internal HTTP response bodies from private or loopback services.

Metadata

CVE ID
CVE-2026-61430
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-09 14:05 UTC
Published
2026-07-15 11:25 UTC
Last updated
2026-07-15 12:17 UTC
Primary CWE
CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product
MervinPraison / PraisonAI
Sources
cve.org  ·  NVD

Severity & Metrics

8.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
MervinPraison PraisonAI 0 < 1.6.78, 1.6.78
Weakness (CWE)
CWESourceDescription
CWE-918 cna Server-Side Request Forgery (SSRF)
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
8.4 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
References (2)
Back to overview