CVE-2026-44340 - Vulnerability Analysis

Overview

PraisonAI < 4.6.37 contains a path traversal caused by improper validation of symlink/hardlink members in _safe_extractall during archive extraction, letting attackers write arbitrary files outside the intended directory, exploit requires crafted archive.

Severity & Score

Impact

Attackers can write arbitrary files outside the intended directory, potentially leading to arbitrary code execution or system compromise.

Mitigation

Update to version 4.6.37 or later.

References

• https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner