CVE-2026-40287HIGH 8.4EPSS p15.6%

CVE-2026-40287CVE-2026-40287

Description

PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.25% probability of exploitation · percentile 15.6% · 2026-06-19T12:03:05Z
Published2026-04-14
Last modified2026-04-20

Underlying weaknesses· 2

CWE-94CWE-426

References

  1. https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc
  2. https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc

2

TypeTargetConfidenceTier
WeaknessUntrusted Search Pathcwe-4260%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44334
CVE
CVE-2026-40288
CVE
CVE-2026-34937
CVE
CVE-2026-44339
CVE
CVE-2026-44336
CVE
CVE-2026-41497
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.