CVE-2026-61433
Severity CVSS v4.0:
HIGH
Type:
CWE-94
Code Injection
Publication date:
15/07/2026
Last modified:
15/07/2026
Description
PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters that execute when the generated server starts or handles requests.
Impact
Base Score 4.0
8.50
Severity 4.0
HIGH
Base Score 3.x
7.80
Severity 3.x
HIGH



