Exposures › CVE-2026-61444
PraisonAI's AI deployment platform allows remote code execution via unsanitized user input in version 4.6.78 and below.
A critical code injection flaw in PraisonAI's deploy/api.py allows attackers to execute arbitrary Python code via unsanitized f-string interpolation. This poses a severe risk to DIB organizations relying on AI infrastructure, as it enables remote compromise of the underlying server environment. Immediate patching to version 4.6.78 is required to mitigate this high-severity vulnerability.
Shame score — Critical RCE vulnerability in an AI platform used by defense contractors, indicating a failure in input sanitization and potentially negligent security practices.
PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().
No correlated FedRAMP products.