CVE-2026-44337

EUVD-2026-28640
PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
praisonpraisonai
2.4.1 ≤
𝑥
< 4.6.34
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2