{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40111", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-09T21:14:55.352Z", "dateUpdated": "2026-04-13T15:38:08.279Z"}, "containers": {"cna": {"title": "PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAIAgents", "versions": [{"version": "< 1.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:14:55.352Z"}, "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128."}], "source": {"advisory": "GHSA-v7px-3835-7gjx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:29:58.666017Z", "id": "CVE-2026-40111", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:38:08.279Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40111", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T15:29:58.666017Z"}}}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:27:25.322Z"}}], "cna": {"title": "PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)", "source": {"advisory": "GHSA-v7px-3835-7gjx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAIAgents", "versions": [{"status": "affected", "version": "< 1.5.128"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:14:55.352Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40111", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:38:08.279Z", "dateReserved": "2026-04-09T01:41:38.536Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:14:55.352Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1797C27-7EBC-4CEF-90B8-F84E8198632D", "versionEndExcluding": "1.5.128", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128."}], "id": "CVE-2026-40111", "lastModified": "2026-04-17T19:40:24.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:34.560", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAIAgents", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonaiagents", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T23:36:13.907867+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAIAgents to version 1.5.128 or later to eliminate the injection flaw.", "If an upgrade is not feasible, restrict write permissions on the \".praisonai/hooks.json\" file to trusted users only.", "Continuously monitor the hooks.json file for unexpected changes and audit agent lifecycle logs for suspicious command execution events."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MervinPraison PraisonAIAgents product prior to version 1.5.128. All releases before 1.5.128 contain the insecure memory hooks executor and are susceptible to command injection. Version 1.5.128 and later have the fix applied.", "description_and_impact": "PraisonAIAgents allows user\u2013supplied strings to be passed directly to the operating system shell through subprocess.run() with shell=True, and it performs no sanitization. This design flaw enables shell metacharacter injection, giving an adversary the ability to execute arbitrary commands. Two distinct exposure paths exist: configuration hooks registered via pre_run_command and post_run_command events, and the lifecycle configuration file \".praisonai/hooks.json\". The latter is particularly dangerous because an attacker who can write to this file\u2014such as by exploiting a prompt injection that grants file\u2011write access\u2014can overwrite the configuration and have their malicious payload run silently at every lifecycle event without further interaction.", "risk_and_exploitability": "The flaw is rated with a CVSS score of 9.3, indicating critical severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting that exploitation may not yet be widespread, though the potential impact remains high. Attacking the flaw requires the ability to supply a crafted command string or to overwrite the hooks.json file, which can be achieved via prompt injection or local write access. Once exploited, the attacker gains the same privileges as the PraisonAIAgents process, allowing full control over the host system."}}}}, "created": "2026-04-10T08:38:19.518919+00:00", "updated": "2026-04-10T09:29:03.277885+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonaiagents"]}