Vulnerability-Lookup

GHSA-CFG2-MXFJ-J6PW

Vulnerability from github – Published: 2026-04-10 19:22 – Updated: 2026-04-10 19:22

Summary

PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

Details

Summary

The Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output.

Details

In src/praisonai/api.py, lines 6-14 define the sanitizer with a try/except ImportError fallback:

try:
    import nh3
    def _sanitize_html(html: str) -> str:
        return nh3.clean(html)
except ImportError:
    def _sanitize_html(html: str) -> str:
        """Fallback: no nh3, return as-is (install nh3 for XSS protection)."""
        return html

The home() route at lines 21-25 converts agent output to HTML via markdown.markdown() (which preserves raw HTML tags by default) and embeds it in an HTML response using an f-string — bypassing Flask's Jinja2 auto-escaping:

@app.route('/')
def home():
    output = basic()
    html_output = _sanitize_html(markdown.markdown(str(output)))
    return f'<html><body>{html_output}</body></html>'

Since nh3 is not in any dependency list (pyproject.toml core deps, optional deps, or requirements files), a standard installation will always hit the fallback path. The markdown library's default behavior passes through raw HTML tags in input text, so any <script> or event handler attributes in the agent output flow directly into the response.

Additionally, deploy.py:76-91 generates a deployment version of api.py that has no sanitization at all — it directly calls markdown.markdown(output) without any _sanitize_html wrapper.

PoC

Set up a PraisonAI instance with an agent that processes external content (e.g., web scraping or RAG retrieval):

# agents.yaml
framework: crewai
topic: test
roles:
  researcher:
    role: Researcher
    goal: Process user-provided content
    backstory: You process content exactly as given
    tasks:
      process:
        description: "Return this exact text: <img src=x onerror=alert(document.cookie)>"
        expected_output: The text as-is

Verify nh3 is not installed (default):

pip show nh3 2>&1 | grep -c "not found"
# Returns 1 (not installed)

Start the API:

python src/praisonai/api.py

Access the endpoint:

curl http://localhost:5000/

Response contains unsanitized HTML:

<html><body><p><img src=x onerror=alert(document.cookie)></p></body></html>

Opening this in a browser executes the JavaScript payload.

Impact

Session hijacking: An attacker can steal cookies or session tokens from users viewing the API output.
Credential theft: Injected scripts can present fake login forms or exfiltrate data to attacker-controlled servers.
Actions on behalf of users: Malicious JavaScript can perform actions in the context of the victim's browser session.

The attack surface includes any scenario where agent output contains attacker-influenced content: RAG retrieval from poisoned documents, web scraping of malicious pages, processing of adversarial user prompts, or multi-agent communication where one agent's output is tainted.

Recommended Fix

Make nh3 a required dependency when using the API, and remove the silent fallback:

# Option 1: Make nh3 required in pyproject.toml under the "api" optional dependency
# In pyproject.toml:
# api = [
#     "flask>=3.0.0",
#     ...
#     "nh3>=0.2.14",
# ]

# Option 2: Use markdown's built-in HTML stripping as a safe default
import markdown

def _sanitize_html(html: str) -> str:
    try:
        import nh3
        return nh3.clean(html)
    except ImportError:
        import re
        return re.sub(r'<[^>]+>', '', html)  # Strip all HTML tags as fallback

# Option 3 (preferred): Use Flask's Jinja2 templating with auto-escaping
# instead of f-string interpolation, or use markupsafe.escape()
from markupsafe import Markup

@app.route('/')
def home():
    output = basic()
    # Use markdown with safe extensions only
    html_output = markdown.markdown(str(output), extensions=[])
    try:
        import nh3
        html_output = nh3.clean(html_output)
    except ImportError:
        raise RuntimeError("nh3 is required for safe HTML rendering. Install with: pip install nh3")
    return f'<html><body>{html_output}</body></html>'

Also fix deploy.py:76-91 to include sanitization in the generated api.py.

Severity

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.128"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:22:18Z",
    "nvd_published_at": "2026-04-09T22:16:34Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Flask API endpoint in `src/praisonai/api.py` renders agent output as HTML without effective sanitization. The `_sanitize_html` function relies on the `nh3` library, which is not listed as a required or optional dependency in `pyproject.toml`. When `nh3` is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output.\n\n## Details\n\nIn `src/praisonai/api.py`, lines 6-14 define the sanitizer with a try/except ImportError fallback:\n\n```python\ntry:\n    import nh3\n    def _sanitize_html(html: str) -\u003e str:\n        return nh3.clean(html)\nexcept ImportError:\n    def _sanitize_html(html: str) -\u003e str:\n        \"\"\"Fallback: no nh3, return as-is (install nh3 for XSS protection).\"\"\"\n        return html\n```\n\nThe `home()` route at lines 21-25 converts agent output to HTML via `markdown.markdown()` (which preserves raw HTML tags by default) and embeds it in an HTML response using an f-string \u2014 bypassing Flask\u0027s Jinja2 auto-escaping:\n\n```python\n@app.route(\u0027/\u0027)\ndef home():\n    output = basic()\n    html_output = _sanitize_html(markdown.markdown(str(output)))\n    return f\u0027\u003chtml\u003e\u003cbody\u003e{html_output}\u003c/body\u003e\u003c/html\u003e\u0027\n```\n\nSince `nh3` is not in any dependency list (`pyproject.toml` core deps, optional deps, or requirements files), a standard installation will always hit the fallback path. The `markdown` library\u0027s default behavior passes through raw HTML tags in input text, so any `\u003cscript\u003e` or event handler attributes in the agent output flow directly into the response.\n\nAdditionally, `deploy.py:76-91` generates a deployment version of `api.py` that has **no sanitization at all** \u2014 it directly calls `markdown.markdown(output)` without any `_sanitize_html` wrapper.\n\n## PoC\n\n1. Set up a PraisonAI instance with an agent that processes external content (e.g., web scraping or RAG retrieval):\n\n```yaml\n# agents.yaml\nframework: crewai\ntopic: test\nroles:\n  researcher:\n    role: Researcher\n    goal: Process user-provided content\n    backstory: You process content exactly as given\n    tasks:\n      process:\n        description: \"Return this exact text: \u003cimg src=x onerror=alert(document.cookie)\u003e\"\n        expected_output: The text as-is\n```\n\n2. Verify `nh3` is not installed (default):\n```bash\npip show nh3 2\u003e\u00261 | grep -c \"not found\"\n# Returns 1 (not installed)\n```\n\n3. Start the API:\n```bash\npython src/praisonai/api.py\n```\n\n4. Access the endpoint:\n```bash\ncurl http://localhost:5000/\n```\n\n5. Response contains unsanitized HTML:\n```html\n\u003chtml\u003e\u003cbody\u003e\u003cp\u003e\u003cimg src=x onerror=alert(document.cookie)\u003e\u003c/p\u003e\u003c/body\u003e\u003c/html\u003e\n```\n\n6. Opening this in a browser executes the JavaScript payload.\n\n## Impact\n\n- **Session hijacking**: An attacker can steal cookies or session tokens from users viewing the API output.\n- **Credential theft**: Injected scripts can present fake login forms or exfiltrate data to attacker-controlled servers.\n- **Actions on behalf of users**: Malicious JavaScript can perform actions in the context of the victim\u0027s browser session.\n\nThe attack surface includes any scenario where agent output contains attacker-influenced content: RAG retrieval from poisoned documents, web scraping of malicious pages, processing of adversarial user prompts, or multi-agent communication where one agent\u0027s output is tainted.\n\n## Recommended Fix\n\nMake `nh3` a required dependency when using the API, and remove the silent fallback:\n\n```python\n# Option 1: Make nh3 required in pyproject.toml under the \"api\" optional dependency\n# In pyproject.toml:\n# api = [\n#     \"flask\u003e=3.0.0\",\n#     ...\n#     \"nh3\u003e=0.2.14\",\n# ]\n\n# Option 2: Use markdown\u0027s built-in HTML stripping as a safe default\nimport markdown\n\ndef _sanitize_html(html: str) -\u003e str:\n    try:\n        import nh3\n        return nh3.clean(html)\n    except ImportError:\n        import re\n        return re.sub(r\u0027\u003c[^\u003e]+\u003e\u0027, \u0027\u0027, html)  # Strip all HTML tags as fallback\n\n# Option 3 (preferred): Use Flask\u0027s Jinja2 templating with auto-escaping\n# instead of f-string interpolation, or use markupsafe.escape()\nfrom markupsafe import Markup\n\n@app.route(\u0027/\u0027)\ndef home():\n    output = basic()\n    # Use markdown with safe extensions only\n    html_output = markdown.markdown(str(output), extensions=[])\n    try:\n        import nh3\n        html_output = nh3.clean(html_output)\n    except ImportError:\n        raise RuntimeError(\"nh3 is required for safe HTML rendering. Install with: pip install nh3\")\n    return f\u0027\u003chtml\u003e\u003cbody\u003e{html_output}\u003c/body\u003e\u003c/html\u003e\u0027\n```\n\nAlso fix `deploy.py:76-91` to include sanitization in the generated `api.py`.",
  "id": "GHSA-cfg2-mxfj-j6pw",
  "modified": "2026-04-10T19:22:18Z",
  "published": "2026-04-10T19:22:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40112"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)"
}

CVE-2026-40112 (GCVE-0-2026-40112)

Vulnerability from cvelistv5 – Published: 2026-04-09 21:16 – Updated: 2026-04-14 14:43

Title

PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

Summary

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/MervinPraison/PraisonAI/securi…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
MervinPraison	PraisonAI	Affected: < 4.5.128

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40112",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T14:43:40.691981Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T14:43:44.627Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PraisonAI",
          "vendor": "MervinPraison",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.128"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T21:16:13.223Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"
        }
      ],
      "source": {
        "advisory": "GHSA-cfg2-mxfj-j6pw",
        "discovery": "UNKNOWN"
      },
      "title": "PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40112",
    "datePublished": "2026-04-09T21:16:13.223Z",
    "dateReserved": "2026-04-09T01:41:38.536Z",
    "dateUpdated": "2026-04-14T14:43:44.627Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-CFG2-MXFJ-J6PW

Summary

Details

PoC

Impact

Recommended Fix

CVE-2026-40112 (GCVE-0-2026-40112)

Tags

Sightings

Nomenclature