Количество 2
Количество 2
CVE-2026-39890
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.
GHSA-32vr-5gcf-3pw2
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2026-39890 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115. | CVSS3: 9.8 | 0% Низкий | 5 дней назад |
| GHSA-32vr-5gcf-3pw2 PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading | CVSS3: 9.8 | 0% Низкий | 5 дней назад |
Уязвимостей на страницу