What happened
PraisonAI before 4.6.78 (CVSS 9.9 Critical) allows chat-interface prompt injection to trigger arbitrary file writes and root-level command execution via the AICoder component, due to absent path/command validation on LLM-directed tool calls.
Why it matters
This gives a remote attacker root-level code execution on any host running PraisonAI's AICoder simply by manipulating chat input — a severe, directly-exploitable agent tool-calling flaw affecting a widely-installed AI agent framework.
Attack vector
Missing path validation and command sanitization in the AICoder component's LLM tool calls lets an attacker inject malicious prompts through the chat interface to write files to arbitrary filesystem locations and execute arbitrary shell commands with root privileges.
Affected systems
PraisonAI before 4.6.78
Mitigation
Upgrade PraisonAI to 4.6.78 or later; sanitize/validate all file paths and shell command arguments generated by the LLM before execution.