COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-61444

CVE-2026-61444

Severity
critical
Source
NVD · cve
Published
2026-07-10
CVSS
9.1
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-61444
⚡ RCE shame 85/100 rceunpatchedexploited-in-wild

PraisonAI's AI deployment platform allows remote code execution via unsanitized user input in version 4.6.78 and below.

A critical code injection flaw in PraisonAI's deploy/api.py allows attackers to execute arbitrary Python code via unsanitized f-string interpolation. This poses a severe risk to DIB organizations relying on AI infrastructure, as it enables remote compromise of the underlying server environment. Immediate patching to version 4.6.78 is required to mitigate this high-severity vulnerability.

Shame score — Critical RCE vulnerability in an AI platform used by defense contractors, indicating a failure in input sanitization and potentially negligent security practices.

Description

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.