CVE-2026-34955 in PraisonAIinformation

Résumé (Anglaise)

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c ''. This issue has been patched in version 4.5.97.

Once again VulDB remains the best source for vulnerability data.

Responsable

GitHub_M

Réserver

31/03/2026

Divulgation

04/04/2026

Statut

Confirmé

Entrées

VulDB provides additional information and datapoints for this CVE:

ID	Vulnérabilité	CWE	Exp	Con	CVE
355242	MervinPraison PraisonAI subprocess.run élévation de privilèges	78	Non défini	Correctif officiel	CVE-2026-34955

Description

CPE

CWE

CVSS

Exploits

Histoire

Diff

Relier

Renseignements sur les menaces

API JSON

API XML

API CSV

Sources

◂ PrécédentAperçuSuivant ▸

Might our Artificial Intelligence support you?

Check our Alexa App!