QwikSec

Security Database

CVE

CWE

Training

CVE-2026-35615

Published: Apr 7, 2026

Modified: Apr 9, 2026

PUBLISHED

Description

PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is fixed in 1.5.113.

Vendor	Product	Versions
MervinPraison	PraisonAI	affected `< 4.5.113`

Weaknesses (CWE)

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5

x_refsource_CONFIRM

https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.