Vulnerabilidades em MervinPraison
54 resultadosCVE-2026-44338HIGHPraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow executionEPSS 26.8%CVE-2026-34935CRITICALPraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()EPSS 0.8%CVE-2026-40151MEDIUMPraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOSEPSS 0.8%CVE-2026-34938CRITICALPraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_codeEPSS 0.7%CVE-2026-44336CRITICALPraisonAI MCP `tools/call` path-traversal and RCE via Python `.pth` injectionEPSS 0.6%CVE-2026-40288CRITICALPraisonAI: Critical RCE via `type: job` workflow YAMLEPSS 0.6%CVE-2026-39890CRITICALPraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition LoadingEPSS 0.6%CVE-2026-39891HIGHPraisonAI has a Template Injection in Agent Tool DefinitionsEPSS 0.6%CVE-2026-34937HIGHPraisonAI: Shell Injection in run_python() via Unescaped $() SubstitutionEPSS 0.5%CVE-2026-39888CRITICALPraisonAIAgents has a sandbox escape via exception frame traversal in `execute_code` (subprocess mode)EPSS 0.5%CVE-2026-41497CRITICALIncomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAIEPSS 0.5%CVE-2026-34934CRITICALPraisonAI: Second-Order SQL Injection in `get_all_user_threads`EPSS 0.5%CVE-2026-34952CRITICALPraisonAI: Missing Authentication in WebSocket GatewayEPSS 0.4%CVE-2026-44340HIGHPraisonAI: Symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`EPSS 0.4%CVE-2026-39889HIGHPraisonAI has Unauthenticated SSE Event Stream Exposes All Agent Activity in A2U ServerEPSS 0.4%CVE-2026-40088CRITICALImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonaiEPSS 0.4%CVE-2025-12019MEDIUMFeatured Image <= 2.1 - Authenticated (Admin+) Stored Cross-Site ScriptingEPSS 0.4%CVE-2026-35615CRITICALPraisonAI has a Path Traversal in FileToolsEPSS 0.4%CVE-2026-34954HIGHPraisonAI: SSRF in FileTools.download_file() via Unvalidated URLEPSS 0.4%CVE-2026-34939MEDIUMPraisonAI: ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()EPSS 0.4%