CVE & CISA-KEV Catalog

CVE-2026-40148

MEDIUM
6.5
CVSS v3
NVD

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128.

How to fix

Remediation Available
praisonaiNVD
Affected:< 4.5.128Fixed in:4.5.128CVE-2026-40148derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityNone
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploit Intelligence

0.24%probability of exploitation in 30 days
15thpercentile

Low risk: more likely to be exploited than 15% of all known CVEs.

References

Exploit1
Embed a live status badge for CVE-2026-40148
CVE-2026-40148 severity badge

Markdown

[![CVE-2026-40148](https://tridentstack.com/cve/badge/CVE-2026-40148.svg)](https://tridentstack.com/cve/CVE-2026-40148)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-40148"><img src="https://tridentstack.com/cve/badge/CVE-2026-40148.svg" alt="CVE-2026-40148"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-17.