Command Injection Affecting praisonai package, versions [,4.5.149)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-PRAISONAI-16422859
- published5 May 2026
- disclosed17 Apr 2026
- creditdecsecre583
Introduced: 17 Apr 2026
NewCVE-2026-41497 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade PraisonAI to version 4.5.149 or higher.
Overview
PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent collaboration.
Affected versions of this package are vulnerable to Command Injection via the parse_mcp_command function. An attacker can execute arbitrary system commands by supplying malicious input that is passed directly to subprocess execution without validation.