CVE-2026-61433

Severity CVSS v4.0:
HIGH
Type:
CWE-94 Code Injection
Publication date:
15/07/2026
Last modified:
15/07/2026

Description

PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters that execute when the generated server starts or handles requests.