CVE-2026-60088
MEDIUM
NVD
CVSS Score
5.5
Severity
MEDIUM
Published
Jul 11, 2026
Vendor
unknown
Description
PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outside_secret.txt or absolute paths in project command files to exfiltrate process-readable files into model prompts.