CVE-2026-31802 node-tar Symlink Path Traversal via Drive-Relative Linkpath

🗓️ 09 Mar 2026 21:11:56Reported by GitHub_MType

CVE-2026-31802: node-tar symlink path traversal via drive-relative targets; fixed in 7.5.11.

Reporter	Title	Published	Views	Family All 75
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.	21 Apr 202618:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.9.tgz which is vulnerable to CVE-2026-31802	5 May 202611:29	–	ibm
IBM Security Bulletins	Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway	31 Mar 202615:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution, loss of confidentiality and denial of service	6 May 202613:05	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D	27 Apr 202616:13	–	ibm
IBM Security Bulletins	Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.	27 Apr 202607:43	–	ibm
GithubExploit	Exploit for CVE-2026-31802	14 Mar 202622:04	–	githubexploit
GithubExploit	Exploit for Path Traversal in Isaacs Tar	28 Mar 202620:49	–	githubexploit
ATTACKERKB	CVE-2026-31802	9 Mar 202621:11	–	attackerkb
AlpineLinux	CVE-2026-31802	9 Mar 202621:11	–	alpinelinux

[
  {
    "vendor": "isaacs",
    "product": "node-tar",
    "versions": [
      {
        "version": "< 7.5.11",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
github	www.github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256

09 Mar 2026 21:11Current

CVSS 48.2

EPSS0.00253

CWE-22