Remote Code Execution in PraisonAI Plugin Manager by Praison AI
CVE-2026-61446

8.6HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61446?

PraisonAI versions prior to 1.6.78 include a serious vulnerability in their plugin manager that permits remote code execution. This flaw enables an attacker to upload and execute arbitrary Python (.py) files stored in project-level and user-home directories. The exploitation of this vulnerability can occur via path traversal, supply chain attacks, or compromised dependencies, leading to severe security risks once the plugin system is initialized. No code signing, integrity verification, or sandboxing is in place, which exacerbates the potential for exploitation.

Affected Version(s)

PraisonAI 0 < 1.6.78

PraisonAI 1.6.78

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

anushkavirgaonkar
.