CVE-2026-40148

PraisionAI (multi-agent system) is affected by CVE-2026-40148 prior to version 4.5.128. The _safe_extractall() function in PraisionAI’s recipe registry validates members for path traversal but does not enforce limits on individual member sizes, total extracted size, or member count before tar.ext...