GHSA-63v4-w882-g4x2: PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools

praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into that page. When a human opens the approval URL to inspect the risky tool request, the script runs in the dashboard origin and can POST to the same request’s /approve/{request_id}/decide endpoint, causing HTTPApproval to return approved=True.

The local PoV uses a harmless touch /tmp/prai010 # command prefix and stops at the approval decision. It does not execute the command.