I
AI Agent Frameworks
CVE-2026-34938: Python Sandbox Escape
PraisonAI · sandboxed exec · isinstance() bypass · Fixed v1.5.90 · March 2026
GHSA-6vh2-h83c-9294 · NVD
Critical CVSS 10.0
CVE-2026-34934: Second-Order SQL Injection
PraisonAI · thread management · f-string SQL construction · Fixed v4.5.90 · March 2026
GHSA-9cq8-3v94-434g · NVD
Critical CVSS 9.8
CVE-2026-34935: OS Command Injection
PraisonAI · MCP server config · shlex.split() to subprocess · Fixed v4.5.69 · March 2026
GHSA-9gm9-c8mq-vq7m · NVD
Critical CVSS 9.8
CVE-2026-34953: Authentication Bypass
PraisonAI · OAuth token validation · return True fallthrough · Fixed v4.5.97 · March 2026
GHSA-98f9-fqg5-hvq5 · NVD
Critical CVSS 9.1
CVE-2026-34952: Missing Authentication on WebSocket Gateway
PraisonAI · WebSocket gateway · auth_token never enforced · Fixed v4.5.97 · March 2026
GHSA-cfh6-vr3j-qc3g · NVD
Critical CVSS 9.1
CVE-2026-34955: Sandbox Escape via Incomplete Blocklist
PraisonAI · subprocess sandbox · shell=True, sh not blocked · Fixed v4.5.97 · March 2026
GHSA-r4f2-3m54-pp7q · NVD
High CVSS 8.8
CVE-2026-34954: Server-Side Request Forgery
PraisonAI · file download · follow_redirects=True, no IP filtering · Fixed v1.5.95 · March 2026
GHSA-44c2-3rw4-5gvh · NVD
High CVSS 8.6
Pending: Server-Side Request Forgery
AGiXT · Custom API Endpoint · requests.request() no validation · Fixed commit 711f507 · March 2026
High CVSS 8.6
CVE-2026-34937: Shell Injection
PraisonAI · Python exec wrapper · shell=True, $ and backticks unescaped · Fixed v1.5.90 · March 2026
GHSA-w37c-qqfp-c67f · NVD
High CVSS 7.8
CVE-2026-34936: Server-Side Request Forgery
PraisonAI · LLM passthrough fallback · api_base no validation · Fixed v4.5.90 · March 2026
GHSA-x6m9-gxvr-7jpv · NVD
High CVSS 7.7
CVE-2026-39981: Path Traversal
AGiXT · file operation commands · safe_join() bypass · Fixed v1.9.2 · March 2026
GHSA-5gfj-64gh-mgmw · NVD
High CVSS 8.8
CVE-2026-34939: Regex Denial of Service
PraisonAI · tool search · re.compile() on user input, no timeout · Fixed v4.5.90 · March 2026
GHSA-8w9j-hc3g-3g7f · NVD
Medium CVSS 6.5
CVE-2026-37007: Arbitrary File Write via Path Traversal
crewai-tools · FileWriterTool · os.path.join() no boundary check · Fixed v1.11.1 · May 2026
NVD
Medium CVSS 6.8
CVE-2026-37008: Python Sandbox Escape in CodeInterpreterTool
crewai-tools · CodeInterpreterTool · ctypes absent from import blocklist · commit fb2323b · May 2026
NVD
Critical CVSS 9.0
CVE-2026-37009: SQL Injection in NL2SQLTool
crewai-tools · NL2SQLTool · session.execute() no statement restriction · commit 9524d50 · May 2026
NVD
Critical CVSS 9.8
CVE-2026-37003: RCE via Prompt Injection in PythonTools and ShellTools
agno · PythonTools / ShellTools · exec() / subprocess no sandbox · Fixed v2.5.9 · May 2026
NVD
Critical CVSS 9.8
CVE-2026-37006: Pre-Auth RCE via MCP WebSocket Handler
gpt-researcher · WebSocket /ws · command/args no auth, no allowlist · Fixed v0.14.8 · May 2026
NVD
Critical CVSS 9.8
CVE-2026-37012: Hardcoded Credentials and Silent Telemetry Exfiltration
PentestGPT · langfuse.py · hardcoded secret key, raw command exfiltration · Fixed v1.0.1 · May 2026
NVD
High CVSS 7.5
CVE-2026-37004: SSTI to RCE in PromptManager
litellm · PromptManager · jinja2.Environment unsandboxed · Fixed v1.82.5 · May 2026
NVD
Critical CVSS 10.0
CVE-2026-36535: Unauthenticated RCE in Upsonic
Upsonic · upsonic run /call endpoint · 0.0.0.0 binding, no auth · Unpatched · June 2026
NVD
Critical CVSS 9.8
II
ML Infrastructure
Additional findings under coordinated disclosure
RCE via deserialization · sandbox escape · denial of service · publishing through mid-2026
Pending
Active coordinated disclosures in progress. Full public disclosure begins June 2026. All findings follow a 90-day coordinated window with maintainers before publication.
Vulnerability classes
Remote Code Execution
Server-Side Request Forgery
Path Traversal
Arbitrary File Operations
Deserialization (pickle RCE)
Sandbox Escape
Model Guardrail Bypass
Denial of Service