← Volver a CVEs
CVE-2026-39891
HIGH8.8
Descripcion
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as literal text. This vulnerability is fixed in 4.5.115.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado4/8/2026
Ultima modificacion4/9/2026
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-94
Referencias
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg(security-advisories@github.com)
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.