CVE-2026-40112: PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

April 10, 2026

The Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output.

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw
github.com/advisories/GHSA-cfg2-mxfj-j6pw
nvd.nist.gov/vuln/detail/CVE-2026-40112

Code Behaviors & Features

Detect and mitigate CVE-2026-40112 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →