CVE-2026-34935: CWE-78: Improper Neutralization of Special Elements used in an O PraisonAI, a multi-agent teams system, versions from 4.5.15 to before 4.5.69, improperly handle the --mcp command-line argument by forwarding it directly to shlex.split() and subsequently to anyio.open_process() without any validation, allo

🚨 CRITICAL alert: PraisonAI v4.5.15 - <4.5.69 has OS command injection (CVE-2026-34935). Attackers can run arbitrary commands. Update to 4.5.69+ ASAP! radar.offseq.com/threat/cve-2026-34935-cw... #OffSeq #CVE202634935 #PraisonAI

CVE-2026-34938: CWE-693: Protection Mechanism Failure in MervinPraison PraisonAI PraisonAI versions before 1.5.90 contain a protection mechanism failure (CWE-693) in the execute_code() function of the praisonai-agents component. The sandbox intended to restrict execution can be bypassed by passing a specially crafted st

PraisonAI <1.5.90 hit by CRITICAL vuln: sandbox bypass in execute_code() enables OS command execution. Patch to v1.5.90+ now! 🛡️ radar.offseq.com/threat/cve-2026-34938-cw... #OffSeq #CVE202634938 #PraisonAI

CVE-2026-34952: CWE-306: Missing Authentication for Critical Function in MervinP PraisonAI versions before 4.5.97 expose critical functions without authentication on the Gateway server endpoints /ws and /info. This lack of authentication (CWE-306) enables unauthenticated remote attackers to connect via WebSocket, enumer

CRITICAL: PraisonAI < 4.5.97 lets unauthenticated users connect to /ws & /info, exposing agent data & control. Upgrade to 4.5.97+ now for protection. radar.offseq.com/threat/cve-2026-34952-cw... #OffSeq #PraisonAI #Vulnerability