CVE-2026-39305
moderate-risk
Published 2026-04-07
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113.
Do I need to act?
-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.0/10
Critical
LOCAL
/ LOW complexity
Affected Products (1)
Affected Vendors
32
/ 100
moderate-risk
Severity
27/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal