The vulnerability exists in the PraisonAI agents component. Before version 1.5.90, the execute_code() method runs supplied Python code inside a sandbox that is meant to restrict system access. Attackers can create a subclass of the built‑in str type that overrides the startswith() method. When this object is used by the sandbox’s _safe_getattr wrapper, the override bypasses the sandbox layers and allows execution of arbitrary OS commands on the host machine. The weakness is categorized as CWE‑693 because input validation fails, leading to loss of integrity and potential confidentiality compromise.

Systems affected are installations of PraisonAI’s praionai‑agents package with versions earlier than 1.5.90. The vendor is MervinPraison, and the product hosting the vulnerable code is the PraisonAI agents service. Versions 1.5.90 and newer contain the fix and are not affected.

The CVSS base score is 10, indicating critical severity. EPSS indicates an exploitation likelihood lower than 1 %. Although the vulnerability is not listed in the CISA KEV catalog, its ability to escape a sandbox and run arbitrary commands makes it a high‑impact target. The likely attack vector is via the execute_code API, which can be invoked remotely by an attacker who can provide arbitrary code payloads. The exploit requires no additional privileges; if the agent runs with host system permissions, the injected code can gain the same level of access.