CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-34954

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 12.7%

CVSS Severity

CVSS v3 Score 8.6

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh

Products affected by CVE-2026-34954

Praison » Praisonai » Version: Any

cpe:2.3:a:praison:praisonai:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-34954

Products

Pricing

Contact Us