CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-61428: PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attacke

highCVSS 7.3CVE-2026-61428
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists.

Details

Source
NVD Recent CVEs (US · database · site)
Severity
high — CVSS 7.3
Published
2026-07-11
Last updated
2026-07-11
Exploitation
Not in CISA KEV at last sync

Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-61428

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-61428coverage & exploitation statusNVD · CVE.org

More from NVD Recent CVEs