Home Embedded Vulns General Vulns

CVE-2026-34937

HIGH 7.8

Our Analysis: Environment Specific

Our model has classified this vulnerability as relevant to Environment Specific Systems, helping your team prioritize efforts effectively.

Published Date April 3, 2026
Last Modified April 3, 2026
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. This issue has been patched in version 1.5.90.

Potentially Affected Vendors