PT-2026-57192 · Mervinpraison · Praisonai

Rexpository

·

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-61432

CVSS v3.1

5.7

Média

VetorAV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute tool() prepends the configured workspace path only for relative paths and neither rejects absolute paths nor canonicalizes joined paths before enforcing workspace containment. As a result, tool arguments or model-generated function calls to grep search, glob search, read file, or list directory can supply absolute paths or '../' traversal sequences to read, search, and enumerate files outside the intended workspace directory, with file contents returned to the caller or injected into the model's tool-result context.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-61432

Produtos afetados

Praisonai