Zip Slip Vulnerability in PraisonAI by MervinPraison
CVE-2026-39307

8.1HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonai
Vendor: CVE Published:; 7 April 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-39307?

PraisonAI is a multi-agent teams system that has a vulnerability in its templates installation feature prior to version 1.5.113. The application utilizes Python's zipfile.extractall() method to download and extract template archives from external sources, such as GitHub. However, it fails to verify whether the contents of the archive could resolve outside the intended extraction directory, exposing users to potential arbitrary file write attacks. This vulnerability has been patched in version 1.5.113, highlighting the importance of secure file handling and validation mechanisms in software development.

Affected Version(s)

PraisonAI < 4.5.113

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39307 Data

JSON