Home / Vulnerability Intelligence / CVE-2026-34955

CVE-2026-34955 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 4, 2026

PraisonAI - Command Injection

Published: April 4, 2026Updated: April 4, 2026

Overview

PraisonAI < 4.5.97 contains a command injection caused by subprocess.run() called with shell=True and insufficient blocklist filtering in SubprocessSandbox, letting attackers escape sandbox in STRICT mode via shell commands, exploit requires sandbox usage in STRICT mode.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 2.0%(Probability of exploitation in next 30 days)

Impact

Attackers can escape the sandbox and execute arbitrary commands, potentially compromising the host system.

Mitigation

Update to version 4.5.97 or later.

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 4, 2026

🟠 CVE-2026-34955 - High (8.8) PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34955/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-34955
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new
EPSS: 2.0%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

2.0%Probability of exploitation in the next 30 days