Back to CVE List

CVE-2026-40157

CRITICAL SEVERITY

Vulnerability Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-22
Source
NVD
Vendor
MervinPraison
Product
PraisonAI

External References

Discussion (0)

Add Comment

No comments yet. Be the first!