CVE-2026-61433
HIGH
7.8
CVSS 3.1
Description
PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters that execute when the generated server starts or handles requests.
Metadata
Severity & Metrics
7.8
HIGH CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| MervinPraison | PraisonAI | — | 0 < 4.6.78, 4.6.78 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-94 | cna | Improper Control of Generation of Code ('Code Injection') |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.5 | HIGH | 4.0 | cna | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 7.8 | HIGH | 3.1 | cna | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (3)
- GitHub Security Advisory (GHSA-79fv-7hq9-w7xg) https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-79fv-7hq9-w7xg
- https://github.com/MervinPraison/PraisonAI/commit/1620b49f36945d8cc8ee5635b906c960df5097a0 https://github.com/MervinPraison/PraisonAI/commit/1620b49f36945d8cc8ee5635b906c960df5097a0
- VulnCheck Advisory: PraisonAI before 4.6.78 Code Injection via API deployment generator https://www.vulncheck.com/advisories/praisonai-before-code-injection-via-api-deployment-generator