Path Traversal in Mervinpraison Praisonai

CVE-2026-40157

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (24.5th percentile) — read the EPSS interpretation.