Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-gcq3-mfvh-3x25 | PraisonAI: workspace bypass allows arbitrary file read/write | praisonai | 7.3 |
| CRITICAL | GHSA-p75f-6fp4-p57w | PraisonAI: unauthenticated RCE via MCP connect endpoint | praisonai | 9.8 |
| HIGH | GHSA-x92v-rpx6-p6cw | PraisonAI: webhook auth bypass enables agent prompt injection | praisonai | 8.6 |
| CRITICAL | GHSA-892r-p3jq-jp24 | PraisonAI AgentOS: unauth remote agent invocation (CVSS 9.8) | praisonai | 9.8 |
| CRITICAL | GHSA-x8cv-xmq7-p8xp | praisonaiagents: unauth AgentTeam API allows agent takeover | praisonaiagents | 9.8 |
| CRITICAL | GHSA-fq2m-6wqh-x44g | praisonai: unauthenticated Jobs API enables remote agent RCE | praisonai | 9.8 |
| CRITICAL | GHSA-j4hj-7hfh-g2f4 | praisonai: silent auth bypass exposes agent exec endpoints | praisonai | 9.8 |
| CRITICAL | GHSA-4869-x4pr-q22x | PraisonAI: Unauthenticated RCE via Jobs API auth bypass | praisonaiagents | 9.8 |
| CRITICAL | GHSA-x227-pf99-vffg | praisonaiagents: unauthenticated MCP SSE server enables RCE | praisonaiagents | 9.8 |
| MEDIUM | GHSA-pv2j-rghr-v5r9 | praisonaiagents: sandbox escape via format-spec read | praisonaiagents | 6.5 |
| HIGH | GHSA-w6h2-fr4q-xvxv | PraisonAI: file tool shell injection enables RCE | praisonai | 8.8 |
| HIGH | GHSA-v847-hxxw-3pxg | PraisonAI: streaming bypass enables dangerous tool execution | praisonai | 7.8 |
| HIGH | GHSA-63v4-w882-g4x2 | PraisonAI: XSS bypasses human-in-the-loop tool approval | praisonai | 8.8 |
| HIGH | GHSA-fc26-m9pf-v56q | PraisonAI LinearBot: webhook auth bypass enables agent exec | praisonai | 8.6 |
| HIGH | GHSA-5qw8-f2g9-ff29 | PraisonAI: auth bypass exposes recipe API to unauthenticated callers | praisonai | 8.2 |
| HIGH | GHSA-vmf9-xx9w-86wx | PraisonAI: DNS rebinding exposes MCP agent tools | praisonai | 8.3 |
| HIGH | GHSA-8579-rgg5-ph2m | praisonai: Discord approval bypass executes agent tools | praisonai | 8.8 |
| HIGH | GHSA-5jv7-2mjm-h6qj | praisonai: shell allowlist bypass enables OS command injection | praisonai | 8.8 |
| HIGH | GHSA-h2w2-v7j6-xqm4 | praisonai: tool approval bypass executes denied actions | praisonai | 8.8 |
| CRITICAL | GHSA-j4f3-55x4-r6q2 | praisonai: MCP HTTP server unauthenticated tool invocation | praisonai | 9.8 |