Back to overview

CVE-2026-60088

MEDIUM
5.5
CVSS 3.1
Description
PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outside_secret.txt or absolute paths in project command files to exfiltrate process-readable files into model prompts.

Metadata

CVE ID
CVE-2026-60088
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-08 12:14 UTC
Published
2026-07-11 13:00 UTC
Last updated
2026-07-11 13:00 UTC
Primary CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product
MervinPraison / PraisonAI
Sources
cve.org  ·  NVD

Severity & Metrics

5.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
MervinPraison PraisonAI 0 < 4.6.78, 4.6.78
Weakness (CWE)
CWESourceDescription
CWE-22 cna Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.8 MEDIUM 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
5.5 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References (3)
Back to overview