PraisonAI CVE-2026-47391 - AI-Agent Exposure Leads a Low-Confidence GHSA Burst
Finding: PraisonAI CVE-2026-47391 A2A example exposes unauthenticated LLM eval path [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-vg22-4gmj-prxw / CVE-2026-47391, from the 2026-05-30 evidence set. GHSA reports that a PraisonAI A2A example can reach eval-like execution paths without authentication. The evidence set records this as a fresh, non-excluded item with no ledger match, but the evidence is still single-source and should not be treated as confirmed exploitation.
The practical question is exposure. If PraisonAI examples, demos or agent PoCs have been published outside a lab-only boundary, owners should check whether any A2A routes are reachable without authentication. This is not an incident claim; it is a targeted inventory and containment task.
Finding: PraisonAI CVE-2026-47398 loader path enables arbitrary code execution [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-78r8-wwqv-r299 / CVE-2026-47398, from the 2026-05-30 evidence set. GHSA reports a PraisonAI loader path involving unguarded spec.loader.execmodule behaviour. The item is a first appearance in the evidence set and sits outside the exclusion ledger.
Route this to teams using PraisonAI in automation, AI-agent runtimes or internal demo stacks. The useful action is to find the package, check whether untrusted inputs influence loader behaviour, and apply the advisory's update guidance once the owner validates the affected version.
Finding: PraisonAI MCP CVE-2026-47394 workflow.show allows unauthenticated file read [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-9cr9-25q5-8prj / CVE-2026-47394, from the 2026-05-30 evidence set. GHSA reports that PraisonAI MCP workflow.show can read arbitrary files without authentication. The evidence set promoted it because it is fresh, non-excluded and relevant to exposed AI workflow surfaces.
Owners should identify MCP workflow endpoints and restrict access whilst fixed versions are checked. File-read paths are often most serious when demos, shared workspaces or multi-user environments blur the boundary between lab and production.
Finding: PraisonAI CVE-2026-47392 builtins leak weakens AI runtime isolation [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-4mr5-g6f9-cfrh / CVE-2026-47392, from the 2026-05-30 evidence set. GHSA reports a builtins access issue via print.self that can weaken AI runtime isolation. The evidence set records it as a first appearance with no exclusion match.
This belongs in an AI runtime sandbox review. Prioritise exposed, shared or multi-user environments first. Isolated local experiments are lower priority unless they process untrusted prompts, tools or workflow content from other users.
Finding: praisonai-platform CVE-2026-47410 ships a hardcoded JWT signing secret [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-3qg8-5g3r-79v5 / CVE-2026-47410, from the 2026-05-30 evidence set. GHSA reports a default dev-secret-change-me JWT signing key in praisonai-platform. the evidence sweep treats it as fresh and absent from the exclusion file.
Check whether any deployment inherited the default secret. Rotate signing material where needed, review session validity and make sure customer-facing or shared environments are not carrying development defaults.
Finding: Nezha CVE-2026-47268 DDNS webhook can trigger authenticated blind SSRF [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-6x26-5727-rrm9 / CVE-2026-47268, from the 2026-05-30 evidence set. GHSA reports that authenticated dashboard users can drive blind SSRF through Nezha DDNS webhook settings. The evidence set marks it as new and outside the ledger.
The dependency on authenticated dashboard access changes the priority. Start with who can reach the dashboard, then review DDNS webhook configuration and any paths to metadata services or internal administration endpoints.
Finding: formie CVE-2026-47266 front-end editing can overwrite submissions [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-pgxq-p76c-x9cg / CVE-2026-47266, from the 2026-05-30 evidence set. GHSA reports that unauthenticated front-end submission editing can overwrite existing formie submission data. The evidence set promoted it as a new, non-excluded finding.
This is an integrity issue before it is a breach story. Check public forms that collect sensitive requests, support data or compliance records, then apply update guidance before relying on stored submission history.
Finding: Admidio CVE-2026-47231 documents movesave IDOR affects file integrity [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-x628-457g-2pw9 / CVE-2026-47231, from the 2026-05-30 evidence set. GHSA reports an IDOR in Admidio documents-files.php with mode=movesave. The item is new in the evidence set and sits outside the exclusion ledger.
Admidio owners should review document permissions and shared folder workflows. The priority rises where multiple users manage files in the same space or where file movement can affect governance, membership or operational records.
Finding: Admidio CVE-2026-47234 logs session IDs and auto-login cookie values [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-mch8-wf3h-6x88 / CVE-2026-47234, from the 2026-05-30 evidence set. GHSA reports that session identifiers and auto-login cookie values can land in Admidio logs. The evidence set records this as fresh with no exclusion match.
Patch planning should sit alongside log access review. Restrict who can read application logs, check whether historical logs contain reusable session material and expire affected sessions if owners confirm exposure.
Finding: Admidio CVE-2026-47232 PKCS#12 private-key export lacks CSRF protection [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-4rgq-38mh-9xqg / CVE-2026-47232, from the 2026-05-30 evidence set. GHSA reports that Admidio PKCS#12 private-key export can be triggered without CSRF protection. The evidence set includes it because the current exclusion file does not contain it and the sweep recorded no ledger match.
Prioritise Admidio deployments that handle certificates or private-key material. Owners should apply advisory guidance and verify that sensitive export actions require CSRF-safe paths.
Update: FortiClient EMS CVE-2026-35616 active exploitation confirmed
Confidence: Medium
Previously covered as an older story; today's delta: The evidence set re-admitted CVE-2026-35616 after the 2026-05-29 10:33 sweep recorded activeexploitation_confirmed proof from SecurityWeek and The Hacker News reporting. Those reports say attackers are exploiting FortiClient EMS CVE-2026-35616 to deploy credential-stealer payloads. The evidence set did not include a fresh official Fortinet URL, so confidence stays at Medium rather than High.
This is the only exploitation-driven item in today's brief. Identify FortiClient EMS exposure, verify patch status and hunt for credential-stealer activity where EMS is internet-reachable or administratively exposed.
Why This Matters
Today's NEW findings are not a reason to alarm the business. They are a reason to find where fast-moving AI-agent examples, web-app components and community administration tools are deployed before small advisory items become messy ownership gaps.
The higher-priority action is separate: FortiClient EMS CVE-2026-35616 now has fresh exploitation reporting in the evidence set. That should move through exposure, patch and hunt checks ahead of the GHSA-only items.
- Recommended Actions
- Check PraisonAI and praisonai-platform exposure in labs, demos, customer PoCs, MCP endpoints, A2A examples and JWT configuration.
- Route Nezha, formie and Admidio findings to web-application owners for SSRF, IDOR, CSRF, record-integrity and log-secret checks.
- Treat FortiClient EMS CVE-2026-35616 as the active-exploitation priority: verify patch status and inspect for credential-stealer activity.
- Keep all ten GHSA-only NEW findings under 24-hour corroboration watch before using stronger language in external material.
- Keep suppressed or excluded stories out of executive escalation unless future sweeps provide strict material-update proof.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 30 May 2026.