3 vulnerabilities across 1 product scored HIGH or above on July 11, 2026.

  • 🟠 HIGH: 3

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

  • [UPGRADED] CVE-2026-54003 (getkirby/kirby) β€” F1: theoretical β†’ poc, AAS: 11.8 β†’ 11.5 (HIGH β†’ HIGH). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-55207 (pimcore/pimcore) β€” F1: theoretical β†’ poc, AAS: 9.1 β†’ 11.6 (HIGH β†’ HIGH). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-57480 (parse-community/parse-server) β€” F1: theoretical β†’ poc, AAS: 9.8 β†’ 12.3 (HIGH β†’ CRITICAL). Originally in 2026-07-08 bulletin.

🟠 [HIGH] mervinpraison/praisonai

3 CVEs | CVSS 4.0: 10.0 | AAS 10.4

  • cpe:2.3:a:mervinpraison:praisonai:*:*:*:*:*:*:*:* (< 4.6.78)

PraisonAI, an open-source AI agent framework by mervinpraison, is affected by three vulnerabilities including at least one critical remote code execution flaw rated CVSS 10.0. The most severe issue involves the CodeAgent component executing LLM-generated Python code without any sandboxing, AST validation, or import restrictions, allowing attackers to achieve arbitrary code execution and full environment secret exfiltration through prompt injection. Organizations running PraisonAI prior to version 1.6.78 should upgrade immediately and review their environments for signs of compromise, particularly any unauthorized access to secrets or unexpected outbound connections. Full details are available in the vendor’s GitHub security advisory.

Vendor Advisory