I
AI Agent Frameworks
CVE-2026-34938: Python Sandbox Escape
PraisonAI · sandboxed exec · isinstance() bypass · Fixed v1.5.90 · March 2026
GHSA-6vh2-h83c-9294 · NVD
Critical CVSS 10.0
CVE-2026-34934: Second-Order SQL Injection
PraisonAI · thread management · f-string SQL construction · Fixed v4.5.90 · March 2026
GHSA-9cq8-3v94-434g · NVD
Critical CVSS 9.8
CVE-2026-34935: OS Command Injection
PraisonAI · MCP server config · shlex.split() to subprocess · Fixed v4.5.69 · March 2026
GHSA-9gm9-c8mq-vq7m · NVD
Critical CVSS 9.8
CVE-2026-34953: Authentication Bypass
PraisonAI · OAuth token validation · return True fallthrough · Fixed v4.5.97 · March 2026
GHSA-98f9-fqg5-hvq5 · NVD
Critical CVSS 9.1
CVE-2026-34952: Missing Authentication on WebSocket Gateway
PraisonAI · WebSocket gateway · auth_token never enforced · Fixed v4.5.97 · March 2026
GHSA-cfh6-vr3j-qc3g · NVD
Critical CVSS 9.1
CVE-2026-34955: Sandbox Escape via Incomplete Blocklist
PraisonAI · subprocess sandbox · shell=True, sh not blocked · Fixed v4.5.97 · March 2026
GHSA-r4f2-3m54-pp7q · NVD
High CVSS 8.8
CVE-2026-34954: Server-Side Request Forgery
PraisonAI · file download · follow_redirects=True, no IP filtering · Fixed v1.5.95 · March 2026
GHSA-44c2-3rw4-5gvh · NVD
High CVSS 8.6
Pending: Server-Side Request Forgery
AGiXT · Custom API Endpoint · requests.request() no validation · Fixed commit 711f507 · March 2026
High CVSS 8.6
CVE-2026-34937: Shell Injection
PraisonAI · Python exec wrapper · shell=True, $ and backticks unescaped · Fixed v1.5.90 · March 2026
GHSA-w37c-qqfp-c67f · NVD
High CVSS 7.8
CVE-2026-34936: Server-Side Request Forgery
PraisonAI · LLM passthrough fallback · api_base no validation · Fixed v4.5.90 · March 2026
GHSA-x6m9-gxvr-7jpv · NVD
High CVSS 7.7
Pending: Path Traversal
AGiXT · file operation commands · safe_join() bypass · Fixed commit 2079ea5 · March 2026
High CVSS 8.1
CVE-2026-34939: Regex Denial of Service
PraisonAI · tool search · re.compile() on user input, no timeout · Fixed v4.5.90 · March 2026
GHSA-8w9j-hc3g-3g7f · NVD
Medium CVSS 6.5
II
ML Infrastructure
Additional findings under coordinated disclosure
RCE via deserialization · sandbox escape · denial of service · publishing through mid-2026
Pending
Active coordinated disclosures in progress. Full public disclosure begins June 2026. All findings follow a 90-day coordinated window with maintainers before publication.
Vulnerability classes
Remote Code Execution
Server-Side Request Forgery
Path Traversal
Arbitrary File Operations
Deserialization (pickle RCE)
Sandbox Escape
Model Guardrail Bypass
Denial of Service