Lucene search
K

10 matches found

OSV
OSV
added 6 days ago5 views

PYSEC-2026-469 PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`

| Field | Value | |---|---| | Severity | Critical | | Type | Path traversal -- arbitrary file write via tar.extract without member validation | | Affected | src/praisonai/praisonai/cli/features/recipe.py:1170-1172 | Summary cmdunpack in the recipe CLI extracts .praison tar archives using raw...

9.4CVSS6AI score0.00379EPSS
Exploits1References6
OSV
OSV
added 2026/05/11 1:59 p.m.5 views

GHSA-9Q28-GHCR-C4X3 PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Summary The safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...

8.7CVSS6AI score0.00433EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/14 7:22 p.m.6 views

CVE-2026-40157

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmdunpack in the recipe CLI extracts .praison tar archives using raw tar.extract without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who...

9.4CVSS5.9AI score0.00379EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/10 7:27 p.m.2 views

EUVD-2026-21509

PraisonAI vulnerable to arbitrary file write via path traversal in praisonai recipe unpack...

9.4CVSS5.9AI score0.00379EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/10 7:27 p.m.9 views

PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`

| Field | Value | |---|---| | Severity | Critical | | Type | Path traversal -- arbitrary file write via tar.extract without member validation | | Affected | src/praisonai/praisonai/cli/features/recipe.py:1170-1172 | Summary cmdunpack in the recipe CLI extracts .praison tar archives using raw...

9.4CVSS6AI score0.00379EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/10 7:27 p.m.1 views

GHSA-99G3-W8GR-X37C PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`

| Field | Value | |---|---| | Severity | Critical | | Type | Path traversal -- arbitrary file write via tar.extract without member validation | | Affected | src/praisonai/praisonai/cli/features/recipe.py:1170-1172 | Summary cmdunpack in the recipe CLI extracts .praison tar archives using raw...

9.4CVSS6AI score0.00379EPSS
Exploits1References4
NVD
NVD
added 2026/04/10 5:17 p.m.3 views

CVE-2026-40157

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmdunpack in the recipe CLI extracts .praison tar archives using raw tar.extract without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who...

9.4CVSS0.00379EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/10 4:47 p.m.31 views

CVE-2026-40157 PraisonAI affected by arbitrary file write via path traversal in `praisonai recipe unpack`

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmdunpack in the recipe CLI extracts .praison tar archives using raw tar.extract without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who...

9.4CVSS0.00379EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/10 4:47 p.m.2 views

CVE-2026-40157 PraisonAI affected by arbitrary file write via path traversal in `praisonai recipe unpack`

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmdunpack in the recipe CLI extracts .praison tar archives using raw tar.extract without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who...

9.4CVSS5.9AI score0.00379EPSS
Exploits1References1
CVE
CVE
added 2026/04/10 4:47 p.m.19 views

CVE-2026-40157

Summary: PraisionAI’s recipe unpack (cmd_unpack) before 4.5.128 is vulnerable to a path traversal in .praison tar archives. The code uses tar.extract() without validating archive member paths, so a bundle containing ../../ entries can write files outside the intended output directory. An attacker...

9.4CVSS5.9AI score0.00379EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder