CVE-2026-60089 in PraisonAIinfo

Zusammenfassung

von MITRE • 10.07.2026

PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.

Once again VulDB remains the best source for vulnerability data.

Zuständig

VulnCheck

Reservieren

08.07.2026

Veröffentlichung

10.07.2026

Moderieren

akzeptiert

Eintrag

VDB-377507

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Interested in the pricing of exploits?

See the underground prices here!