Remote Code Execution in PraisonAI Plugin Manager by Praison AI
CVE-2026-61446
8.6HIGH
What is CVE-2026-61446?
PraisonAI versions prior to 1.6.78 include a serious vulnerability in their plugin manager that permits remote code execution. This flaw enables an attacker to upload and execute arbitrary Python (.py) files stored in project-level and user-home directories. The exploitation of this vulnerability can occur via path traversal, supply chain attacks, or compromised dependencies, leading to severe security risks once the plugin system is initialized. No code signing, integrity verification, or sandboxing is in place, which exacerbates the potential for exploitation.
Affected Version(s)
PraisonAI 0 < 1.6.78
PraisonAI 1.6.78
