CVE-2026-61444 PUBLISHED

PraisonAI before 4.6.78 Code Injection via f-string

Assigner: VulnCheck
Reserved: 09.07.2026 Published: 10.07.2026 Updated: 10.07.2026

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Product Status

Vendor MervinPraison
Product PraisonAI
Versions Default: unaffected
  • affected from 0 to 4.6.78 (excl.)
  • Version 4.6.78 is unaffected

Credits

  • anushkavirgaonkar reporter

References

Problem Types

  • Improper Control of Generation of Code ('Code Injection') CWE