Home / Vulnerability Intelligence / CVE-2026-39891

CVE-2026-39891 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 9, 2026

PraisonAI - Template Injection

Published: April 8, 2026Updated: April 9, 2026Remote Exploitable

Overview

PraisonAI < 4.5.115 contains a template injection caused by unescaped user input in create_agent_centric_tools() function, letting attackers execute arbitrary template expressions, exploit requires crafted input via agent.start().

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary template expressions, potentially leading to code execution or data manipulation.

Mitigation

Update to version 4.5.115 or later.

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 9, 2026

🟠 CVE-2026-39891 - High (8.8) PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly int... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 9, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-39891
Severity: High
CVSS Score: 8.8
Type: template_injection
Status: unconfirmed
EPSS: 4.7%
Social Posts: 2

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days