CVE-2026-40287 - Vulnerability Analysis
HighCVSS: 8.4Last Updated: April 14, 2026
PraisonAI - Command Injection
Overview
PraisonAI <= 4.5.138 contains a command injection caused by automatic, unsanitized import of tools.py from the current working directory, letting attackers execute arbitrary Python code, exploit requires attacker to place malicious tools.py in launch directory.
Severity & Score
Impact
Attackers can execute arbitrary Python code, compromising the PraisonAI process, host system, and connected data or credentials.
Mitigation
Update to version 4.5.139 or later.
Social Media Activity(2 posts)
š CVE-2026-40287 - High (8.4) PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_... š https://www.thehackerwire.com/vulnerability/CVE-2026-40287/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40287 - High (8.4) PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_... š https://www.thehackerwire.com/vulnerability/CVE-2026-40287/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40287
- Severity
- High
- CVSS Score
- 8.4
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H