Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.
Published: 2026-04-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Browser-Based Script Execution via Stored XSS
Action: Immediate Patch
AI Analysis

Impact

PraisonAI stores agent output directly in the HTML returned by a Flask API endpoint without proper sanitization. The sanitizer relies on the nh3 library, which is not installed by default, making the sanitization step a no‑op. An attacker able to influence agent input—through techniques such as retrieval‑augmented generation data poisoning, web scraping results, or prompt injection—can embed arbitrary JavaScript into the output. When any user views the API response in a browser, the injected script runs with the privileges of that user, allowing actions such as session hijacking, credential theft, or malicious redirects. This is a classic stored cross‑site scripting weakness identified as CWE‑79.

Affected Systems

The vulnerability affects the PraisonAI product developed by MervinPraison. All releases older than version 4.5.128 are impacted. The default installation of PraisonAI, which omits the nh3 dependency, exposes the flaw because the HTML sanitizer does nothing.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity; the lack of an EPSS score and absence from the KEV catalogue suggest limited known exploitation, but the flaw could be leveraged in environments where API output is exposed to end users and the attacker can shape agent input. Exploitation requires only client‑side execution, so once the malicious content is delivered, the attack proceeds without additional privileges. The vulnerability is fixed in release 4.5.128, so updating to that or newer versions eliminates the risk.

Generated by OpenCVE AI on April 9, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch available in version 4.5.128 or later of PraisonAI.
  • If unable to update immediately, install the nh3 Python package so that the _sanitize_html function performs proper sanitization.
  • Verify that no unsanitized HTML content is rendered in the API response.
  • Monitor logs for unexpected agent output injections and consider restricting untrusted data sources that feed the agent.

Generated by OpenCVE AI on April 9, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cfg2-mxfj-j6pw PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
History

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.
Title PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:43:44.627Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40112

cve-icon Vulnrichment

Updated: 2026-04-14T14:43:32.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:34.707

Modified: 2026-04-17T19:36:56.910

Link: CVE-2026-40112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:59Z

Weaknesses