CVE-2026-39305 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-39305

CVE-2026-39305

Published:April 07, 2026

Updated:April 20, 2026

PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113.

Affected Packages

praisonai (PYTHON):

Affected version(s) >=0.0.1 <4.5.113

Fix Suggestion:

Update to version 4.5.113

praisonai (PYTHON):

Affected version(s) >=0.0.1 <4.5.113

Fix Suggestion:

Update to version 4.5.113

Related Resources (4)

https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113

https://nvd.nist.gov/vuln/detail/CVE-2026-39305

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-jfxc-v5g9-38xr

https://github.com/MervinPraison/PraisonAI

Do you need more information?

CVSS v4

Base Score:

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

EPSS

Base Score:

0.02

Products

Solutions

Resources

Company

Compare

Developer Tools