Home / Vulnerability Intelligence / CVE-2026-34955

CVE-2026-34955 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 4, 2026

PraisonAI - Command Injection

Published: April 4, 2026Updated: April 4, 2026

Overview

PraisonAI < 4.5.97 contains a command injection caused by subprocess.run() called with shell=True and insufficient blocklist filtering in SubprocessSandbox, letting attackers escape sandbox in STRICT mode via shell commands, exploit requires sandbox usage in STRICT mode.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can escape the sandbox and execute arbitrary commands, potentially compromising the host system.

Mitigation

Update to version 4.5.97 or later.

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34955
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H