$ ls ./disclosures
Coordinated disclosure only. Each report carries a verifiable trail — CVE record, vendor advisory, and the dates from report to patch. Few, real, falsifiable. Not a volume game.
- SQL injection across 9 conversation store backends (incomplete fix for CVE-2026-40315)
- vendor:
- MervinPraison / PraisonAI
- package:
- praisonai, praisonaiagents (PyPI)
- CVSS:
- 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
- CWE:
- CWE-89 — SQL Injection
- affected:
- praisonai <= 4.6.8 · praisonaiagents <= 1.6.8
- patched:
- praisonai >= 4.6.9 · praisonaiagents >= 1.6.9
The fix for the prior CVE-2026-40315 only added table_prefix validation in SQLiteConversationStore. Nine sibling backends (MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso/LibSQL, SingleStore, Supabase, SurrealDB) still inserted table_prefix directly into f-string SQL without validation — 52 injection points in total. postgres.py additionally accepted an unvalidated schema parameter used in DDL. Under multi-tenant / API-driven / user-editable config → arbitrary SQL on the database.
timeline- 2026-04-16 advisory published (GHSA)
- 2026-05-08 CVE record (NVD)
Incomplete-fix review: take the patch on one backend and systematically check every sibling module with the same pattern (f-string identifier → DDL). Grep-driven pattern matching plus manual verification of each call site.
Suspect a vulnerability in one of my projects? → security policy .