{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40112", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-09T21:16:13.223Z", "dateUpdated": "2026-04-14T14:43:44.627Z"}, "containers": {"cna": {"title": "PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:16:13.223Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128."}], "source": {"advisory": "GHSA-cfg2-mxfj-j6pw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:43:40.691981Z", "id": "CVE-2026-40112", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:43:44.627Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40112", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:43:40.691981Z"}}}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:43:32.195Z"}}], "cna": {"title": "PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)", "source": {"advisory": "GHSA-cfg2-mxfj-j6pw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 4.5.128"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:16:13.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40112", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:43:44.627Z", "dateReserved": "2026-04-09T01:41:38.536Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:16:13.223Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1", "versionEndExcluding": "4.5.128", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128."}], "id": "CVE-2026-40112", "lastModified": "2026-04-17T19:36:56.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T22:16:34.707", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T22:41:43.443547+00:00", "value": {"mitigation_remediation": ["Apply the official patch available in version\u00a04.5.128 or later of PraisonAI.", "If unable to update immediately, install the nh3 Python package so that the _sanitize_html function performs proper sanitization.", "Verify that no unsanitized HTML content is rendered in the API response.", "Monitor logs for unexpected agent output injections and consider restricting untrusted data sources that feed the agent."], "summary": {"action": "Immediate Patch", "impact": "Browser-Based Script Execution via Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PraisonAI product developed by MervinPraison. All releases older than version 4.5.128 are impacted. The default installation of PraisonAI, which omits the nh3 dependency, exposes the flaw because the HTML sanitizer does nothing.", "description_and_impact": "PraisonAI stores agent output directly in the HTML returned by a Flask API endpoint without proper sanitization. The sanitizer relies on the nh3 library, which is not installed by default, making the sanitization step a no\u2011op. An attacker able to influence agent input\u2014through techniques such as retrieval\u2011augmented generation data poisoning, web scraping results, or prompt injection\u2014can embed arbitrary JavaScript into the output. When any user views the API response in a browser, the injected script runs with the privileges of that user, allowing actions such as session hijacking, credential theft, or malicious redirects. This is a classic stored cross\u2011site scripting weakness identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity; the lack of an EPSS score and absence from the KEV catalogue suggest limited known exploitation, but the flaw could be leveraged in environments where API output is exposed to end users and the attacker can shape agent input. Exploitation requires only client\u2011side execution, so once the malicious content is delivered, the attack proceeds without additional privileges. The vulnerability is fixed in release 4.5.128, so updating to that or newer versions eliminates the risk."}}}}, "created": "2026-04-10T08:38:16.626391+00:00", "updated": "2026-04-10T09:28:59.492016+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}