critical AI Issue
PraisonAI Critical RCE + Sandbox Escape (Two CVEs)
| CVE | CVE-2026-39890 |
| Severity | critical |
| Status | open |
| Date | April 8, 2026 |
| Affects | PraisonAI multi-agent AI framework |
| Source | www.thehackerwire.com |
Details
Two critical vulns disclosed April 8. CVE-2026-39890 (CVSS 9.8): YAML RCE via js-yaml dangerous tags (!js/function) in agent definition files. CVE-2026-39888 (CVSS 9.9): Sandbox escape via incomplete AST blocklist — missing traceback, tb_frame, f_back, f_builtins allows frame-traversal chain exposing real Python builtins. Fix: PraisonAI 4.5.115 / 1.5.115.