Security: MervinPraison/PraisonAI
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Crawl4AI/Chromium backend is also affected by the `web_crawl` SSRF validation bypassGHSA-6g59-gm2v-qhvq published
Jun 25, 2026 by MervinPraisonHigh -
DNS rebinding bypass in `web_crawl` SSRF protection allows internal response disclosureGHSA-qg25-6gc4-48mg published
Jun 25, 2026 by MervinPraisonHigh -
ContextGatherer include resolution permits absolute and traversal reads outside the workspaceGHSA-q7m5-3jmv-vm48 published
Jun 25, 2026 by MervinPraisonModerate -
FastContext path resolution permits absolute and traversal reads outside the workspaceGHSA-4xxv-6wmf-xf45 published
Jun 25, 2026 by MervinPraisonModerate -
API deploy code generator embeds unescaped YAML fields into Python sourceGHSA-79fv-7hq9-w7xg published
Jun 25, 2026 by MervinPraisonHigh -
Shell command allowlist bypass via find -exec built-in actionGHSA-cv3g-hj65-pcfh published
Jun 25, 2026 by MervinPraisonHigh -
Call API localhost-only authentication bypass via spoofed Host headerGHSA-2gpf-2492-q9jh published
Jun 25, 2026 by MervinPraisonHigh -
AgentMail webhook mode accepts forged unsigned message.received events and invokes agentsGHSA-7c92-x8vg-4258 published
Jun 25, 2026 by MervinPraisonHigh -
Unsafe Dynamic Module Loading Leads to Arbitrary Code Execution via tools.py in AgentFlowGHSA-4gfv-wg42-7jw5 published
Jun 25, 2026 by MervinPraisonHigh -
Remote Code Execution via Broken AST SandboxGHSA-26mh-57q7-jfvr published
Jun 25, 2026 by MervinPraisonHigh