CVE-2026-39305

Source
https://cve.org/CVERecord?id=CVE-2026-39305
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39305.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39305
Aliases
Published
2026-04-07T16:47:18.102Z
Modified
2026-07-15T01:49:12.548987476Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H CVSS Calculator
Summary
Arbitrary File Write / Path Traversal in Action Orchestrator
Details

PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39305.json"
}
References

Affected packages

Git / github.com/mervinpraison/praisonai

Affected ranges

Type
GIT
Repo
https://github.com/mervinpraison/praisonai
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.5.113"
        },
        {
            "last_affected": "4.5.112"
        }
    ]
}

Affected versions

0.*
0.0.55
0.0.56
0.0.57
0.0.59rc5
2.*
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.50
2.0.51
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
2.0.59
2.0.60
2.0.61
2.0.62
2.0.63
2.0.64
2.0.65
2.0.66
2.0.67
2.0.68
2.0.69
2.0.70
2.0.71
2.0.72
2.0.73
2.0.74
2.0.75
2.0.76
praisonai-cli@0.*
praisonai-cli@0.2.0
praisonai-derive@0.*
praisonai-derive@0.2.0
praisonai@0.*
praisonai@0.2.0
v0.*
v0.0.1
v0.0.18
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.40
v0.0.41
v0.0.42
v0.0.43
v0.0.44
v0.0.45
v0.0.46
v0.0.47
v0.0.48
v0.0.49
v0.0.50
v0.0.51
v0.0.52
v0.0.53
v0.0.54
v0.0.58
v0.0.59
v0.0.59rc1
v0.0.59rc11
v0.0.59rc2
v0.0.59rc3
v0.0.59rc4
v0.0.59rc5
v0.0.59rc6
v0.0.59rc7
v0.0.59rc8
v0.0.59rc9
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.69
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.1.0
v0.1.1
v0.1.10
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.77
v2.0.78
v2.0.79
v2.0.8
v2.0.80
v2.0.81
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.37
v2.2.38
v2.2.39
v2.2.4
v2.2.40
v2.2.41
v2.2.42
v2.2.43
v2.2.44
v2.2.45
v2.2.46
v2.2.47
v2.2.48
v2.2.49
v2.2.5
v2.2.50
v2.2.51
v2.2.52
v2.2.53
v2.2.54
v2.2.55
v2.2.56
v2.2.57
v2.2.58
v2.2.59
v2.2.6
v2.2.60
v2.2.61
v2.2.62
v2.2.63
v2.2.64
v2.2.65
v2.2.66
v2.2.67
v2.2.68
v2.2.69
v2.2.7
v2.2.70
v2.2.71
v2.2.72
v2.2.73
v2.2.74
v2.2.75
v2.2.76
v2.2.77
v2.2.78
v2.2.79
v2.2.8
v2.2.80
v2.2.81
v2.2.82
v2.2.83
v2.2.84
v2.2.85
v2.2.86
v2.2.87
v2.2.89
v2.2.9
v2.2.90
v2.2.91
v2.2.93
v2.2.96
v2.2.97
v2.2.98
v2.2.99
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.43
v2.3.44
v2.3.45
v2.3.46
v2.3.47
v2.3.48
v2.3.49
v2.3.5
v2.3.50
v2.3.51
v2.3.52
v2.3.53
v2.3.54
v2.3.55
v2.3.56
v2.3.57
v2.3.58
v2.3.59
v2.3.6
v2.3.60
v2.3.61
v2.3.62
v2.3.63
v2.3.64
v2.3.65
v2.3.66
v2.3.67
v2.3.68
v2.3.69
v2.3.7
v2.3.70
v2.3.71
v2.3.72
v2.3.73
v2.3.74
v2.3.75
v2.3.76
v2.3.77
v2.3.78
v2.3.79
v2.3.8
v2.3.80
v2.3.81
v2.3.82
v2.3.83
v2.3.84
v2.3.85
v2.3.86
v2.3.87
v2.3.9
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v4.*
v4.4.10
v4.4.11
v4.4.12
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.10
v4.5.100
v4.5.101
v4.5.102
v4.5.103
v4.5.104
v4.5.105
v4.5.106
v4.5.107
v4.5.108
v4.5.109
v4.5.11
v4.5.110
v4.5.111
v4.5.112
v4.5.12
v4.5.13
v4.5.14
v4.5.15
v4.5.16
v4.5.17
v4.5.18
v4.5.19
v4.5.2
v4.5.20
v4.5.21
v4.5.22
v4.5.23
v4.5.24
v4.5.25
v4.5.26
v4.5.27
v4.5.28
v4.5.29
v4.5.3
v4.5.30
v4.5.31
v4.5.32
v4.5.33
v4.5.34
v4.5.35
v4.5.36
v4.5.37
v4.5.38
v4.5.39
v4.5.40
v4.5.41
v4.5.42
v4.5.43
v4.5.44
v4.5.45
v4.5.46
v4.5.48
v4.5.49
v4.5.5
v4.5.51
v4.5.52
v4.5.54
v4.5.55
v4.5.56
v4.5.57
v4.5.58
v4.5.59
v4.5.6
v4.5.60
v4.5.62
v4.5.63
v4.5.64
v4.5.65
v4.5.67
v4.5.68
v4.5.69
v4.5.7
v4.5.70
v4.5.71
v4.5.72
v4.5.73
v4.5.74
v4.5.76
v4.5.77
v4.5.78
v4.5.79
v4.5.8
v4.5.80
v4.5.81
v4.5.82
v4.5.83
v4.5.85
v4.5.87
v4.5.88
v4.5.9
v4.5.90
v4.5.93
v4.5.94
v4.5.95
v4.5.96
v4.5.97
v4.5.98

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39305.json"