NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-40157

Summary	PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.
Publication Date	April 11, 2026, 2:17 a.m.
Registration Date	April 15, 2026, 11:36 a.m.
Last Update	April 15, 2026, 12:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c	security-advisories@github.com
2	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html