CVE-2026-40112

PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.

INFO

Published Date :

2026-04-09T21:16:13.223Z

Last Modified :

2026-04-09T21:16:13.223Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-40112 vulnerability.

Vendors	Products
Mervinpraison	Praisonai

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40112.

URL	Resource
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact