cbcvebase.
CVE-2026-39305
published 2026-04-07

CVE-2026-39305: PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or…

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCNIHAH
EPSS
0.31%
22.9th percentile
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113.

Affected

3 ranges
VendorProductVersion rangeFixed in
mervinpraisonpraisonai< 4.5.1134.5.113
mervinpraisonpraisonai>= 0 < 4.5.1134.5.113
praisonpraisonai<= 4.5.112
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.