VIR Vulnerability Intelligence Relay

CVE-2026-44340

high
Published 2026-05-08 · Modified 2026-05-11
CVSS v3
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v2
VIR risk
7.5

Description

PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3

Package impact
EcosystemPackageVulnerableFixed
python PyPIpraisonai<4.6.374.6.37
PIPPraisonAI<= 4.6.364.6.37

Application impact
VendorProductVersionsFixed
praisonpraisonai{"endExcluding":"4.6.37"}4.6.37

References

CWEs

CWE-22 CWE-59

Verify integrity in audit chain (admin only). AS-IS.