CVE-2026-39307HIGH 8.1EPSS p23.0%

CVE-2026-39307CVE-2026-39307

Description

PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory. This vulnerability is fixed in 1.5.113.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS0.31% probability of exploitation · percentile 23.0% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-16

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4ph2-f6pf-79wv

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39891
CVE
CVE-2026-40157
CVE
CVE-2026-34937
CVE
CVE-2026-39305
CVE
CVE-2026-40287
CVE
CVE-2026-34954
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.