AI Threat Alert AI Threat Alert

CVE-2026-40112

MEDIUM
Published April 9, 2026

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml....

Full CISO analysis pending enrichment.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C Low
I Low
A None

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-40112?

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt in

Is CVE-2026-40112 actively exploited?

No confirmed active exploitation of CVE-2026-40112 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40112?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-40112?

CVE-2026-40112 has a CVSS v3.1 base score of 5.4 (MEDIUM).

Technical Details

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.

Weaknesses (CWE)

CWE-79 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

Timeline

Published
April 9, 2026
Last Modified
April 9, 2026
First Seen
April 9, 2026
Back to Threat Feed