CVE-2026-39307

Summary of CVE-2026-39307 PraisonAI templates installation uses Python’s zipfile.extractall() without validating that archive entries stay within the target extraction directory. This Zip Slip flaw existed prior to version 1.5.113 and could allow arbitrary file writes (potentially to system locat...

CVE-2026-39307

PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...

CVE-2026-39307 PraisonAI has an Arbitrary File Write (Zip Slip) in Templates Extraction

PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...

CVE-2026-39307 PraisonAI has an Arbitrary File Write (Zip Slip) in Templates Extraction

PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...

CVE-2026-39308

Summary: CVE-2026-39308 affects PraisonAI’s recipe registry publish flow. Before version 1.5.113, the endpoint writes uploaded bundles to a filesystem path derived from manifest.json before validating that manifest name/version against the URL. A crafted manifest with directory traversal (.. /) c...

CVE-2026-39308 PraisonAI recipe registry publish path traversal allows out-of-root file write

PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...

CVE-2026-39308

PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...

CVE-2026-39308 PraisonAI recipe registry publish path traversal allows out-of-root file write

PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...

CVE-2026-39306

Summary of CVE-2026-39306 (PraisonAI): The vulnerability is a path traversal / arbitrary file write in PriasonAI’s recipe registry pull flow. Before version 1.5.113, the system extracts uploaded tar bundles with tar.extractall() without validating archive member paths, allowing a malicious publis...

CVE-2026-39305 Arbitrary File Write / Path Traversal in Action Orchestrator

PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...

CVE-2026-39305 Arbitrary File Write / Path Traversal in Action Orchestrator

PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...

CVE-2026-39305

PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...

CVE-2026-39305

Summary of CVE-2026-39305 : PraisonAI is a multi-agent system whose Action Orchestrator feature contains a Path Traversal vulnerability. Prior to version 1.5.113, an attacker (or compromised agent) can cause Arbitrary File Write by supplying relative path segments (../) in the target path, enabli...

CVE-2026-1078

An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...

CVE-2026-1078 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge.

An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...

CVE-2026-1078

An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...

CVE-2026-1078

CVE-2026-1078 concerns an arbitrary file-write vulnerability in the Pega Browser Extension (PBE) affecting Pega Robotic Automation v22.1 or R25 for automations running with Google Chrome or Microsoft Edge. The issue could allow a malicious website to cause a Robot Runtime user to write arbitrary ...

CVE-2026-1078 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge.

An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...

CVE-2026-35492 Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write

Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...

CVE-2026-35492

Kedro-Datasets PartitionedDataset has a path traversal vulnerability prior to 9.3.0, where partition IDs were concatenated with the dataset base path without validation, potentially allowing writing outside the dataset directory on local FS or storage backends (S3, GCS, etc.). The issue affects a...