CVE-2026-40112 MEDIUM

CVE-2026-40112: PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

Vendor Mervinpraison
Product PraisonAI
Weakness CWE-79 · XSS
Published April 9, 2026
Last update April 14, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 14, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-9225 Cross-site scripting (XSS) in MiR robots and MiR fleet CVE-2025-24687 WordPress Show/Hide Shortcode plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-22546 WordPress jQuery TwentyTwenty plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability CVE-2022-1179 Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in openemr/openemr CVE-2019-9540 Telos Automated Message Handling System reflected XSS in prefs.asp