7273 matches found
CVE-2026-39308
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39307
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...
CVE-2026-39306
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../...
CVE-2026-39307 PraisonAI has an Arbitrary File Write (Zip Slip) in Templates Extraction
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...
CVE-2026-39307
Summary of CVE-2026-39307 PraisonAI templates installation uses Python’s zipfile.extractall() without validating that archive entries stay within the target extraction directory. This Zip Slip flaw existed prior to version 1.5.113 and could allow arbitrary file writes (potentially to system locat...
CVE-2026-39307 PraisonAI has an Arbitrary File Write (Zip Slip) in Templates Extraction
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...
CVE-2026-39307
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall...
CVE-2026-39308
Summary: CVE-2026-39308 affects PraisonAI’s recipe registry publish flow. Before version 1.5.113, the endpoint writes uploaded bundles to a filesystem path derived from manifest.json before validating that manifest name/version against the URL. A crafted manifest with directory traversal (.. /) c...
CVE-2026-39308
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39308 PraisonAI recipe registry publish path traversal allows out-of-root file write
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39308 PraisonAI recipe registry publish path traversal allows out-of-root file write
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39306
Summary of CVE-2026-39306 (PraisonAI): The vulnerability is a path traversal / arbitrary file write in PriasonAI’s recipe registry pull flow. Before version 1.5.113, the system extracts uploaded tar bundles with tar.extractall() without validating archive member paths, allowing a malicious publis...
CVE-2026-39305
Summary of CVE-2026-39305 : PraisonAI is a multi-agent system whose Action Orchestrator feature contains a Path Traversal vulnerability. Prior to version 1.5.113, an attacker (or compromised agent) can cause Arbitrary File Write by supplying relative path segments (../) in the target path, enabli...
CVE-2026-39305 Arbitrary File Write / Path Traversal in Action Orchestrator
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...
CVE-2026-39305
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...
CVE-2026-39305 Arbitrary File Write / Path Traversal in Action Orchestrator
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...
CVE-2026-1078
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...
CVE-2026-1078 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge.
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...
CVE-2026-1078
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur ...
CVE-2026-1078
CVE-2026-1078 concerns an arbitrary file-write vulnerability in the Pega Browser Extension (PBE) affecting Pega Robotic Automation v22.1 or R25 for automations running with Google Chrome or Microsoft Edge. The issue could allow a malicious website to cause a Robot Runtime user to write arbitrary ...