Code Injection Vulnerability in PraisonAI by Mervin Praison
CVE-2026-61444
9.4CRITICAL
What is CVE-2026-61444?
PraisonAI versions prior to 4.6.78 are susceptible to a code injection flaw caused by the unsafe interpolation of the agents_file parameter in deploy/api.py. This lack of proper sanitization allows attackers to inject malicious Python code, which gets executed when the server code runs through subprocess.Popen(). This vulnerability poses a significant threat as it can lead to unauthorized code execution, making it crucial for users to upgrade to the latest version to mitigate risks.
Affected Version(s)
PraisonAI 0 < 4.6.78
PraisonAI 4.6.78
