LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-40288

CVE-2026-40288 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 14, 2026

PraisonAI - Command Injection

Published: April 14, 2026Updated: April 14, 2026Remote Exploitable

Overview

PraisonAI < 4.5.139 and praisonaiagents < 1.5.140 contain a command injection caused by untrusted YAML files processed without validation in the workflow engine, letting attackers execute arbitrary commands and code, exploit requires attacker to supply or influence workflow YAML files.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands and code on the host, leading to full system compromise and data exposure.

Mitigation

Update to PraisonAI 4.5.139 and praisonaiagents 1.5.140 or later.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
Apr 14, 2026

šŸšØ CVE-2026-40288 (CRITICAL, CVSS 9.8): PraisonAI <4.5.139 vulnerable to OS command injection via untrusted YAML files. Attackers can achieve full system compromise. Upgrade ASAP! More: https://radar.offseq.com/threat/cve-2026-40288-cwe-78-improper-neutralization-of-s-06bb92e7 #OffSeq #PraisonAI #InfoSec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 14, 2026

šŸ”“ CVE-2026-40288 - Critical (9.8) PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run lo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40288/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 14, 2026

šŸšØ CVE-2026-40288 (CRITICAL, CVSS 9.8): PraisonAI <4.5.139 vulnerable to OS command injection via untrusted YAML files. Attackers can achieve full system compromise. Upgrade ASAP! More: https://radar.offseq.com/threat/cve-2026-40288-cwe-78-improper-neutralization-of-s-06bb92e7 #OffSeq #PraisonAI #InfoSec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 14, 2026

šŸ”“ CVE-2026-40288 - Critical (9.8) PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run lo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40288/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-40288
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days