CVE-2026-40157

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI is a multi-agent teams system. The cmd unpack function in the recipe CLI extracts .praison tar archives using tar.extract() without validating archive member paths. A malicious .praison bundle containing ../../ entries can write files outside the intended output directory, potentially overwriting arbitrary files on the victim's filesystem when the praisonai recipe unpack command is executed.

Recommendations Update to version 4.5.128 or later.