AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-40112: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 9, 2026CVE-2026-40112

Summary

PraisonAI, a system that uses multiple AI agents to work together as teams, has a vulnerability in versions before 4.5.128 where it displays agent output as HTML without properly cleaning it first. An attacker can inject malicious JavaScript code (code that runs in a web browser) through poisoned data or tricked prompts, and this code will execute when someone views the output.

Solution / Mitigation

Update PraisonAI to version 4.5.128 or later, which includes a fix for this vulnerability.

Vulnerability Details

CVSS Score

5.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

required

Disclosure Date

April 9, 2026

Classification

Attack Type

RAG PoisoningPrompt Injection

Attack SophisticationModerate

Impact (CIA+S)

integrity

Taxonomy References

CWE (Weakness Type)

CWE-79

CAPEC (Attack Pattern)

CAPEC-198 CAPEC-86

MITRE ATLAS (AI/ML Threat Technique)

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40112

First tracked: April 9, 2026 at 08:07 PM

Classified by LLM (prompt v3) · confidence: 92%