Lucene search
+L

9680 matches found

NVD
NVD
added 2026/07/09 10:17 p.m.9 views

CVE-2026-39246

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries type === 'symlink', the x.linkname field from the archive is passed directly to fs.symlink without validation index.js line 121. The preventWritingThroughSymlink check on line 98...

7.5CVSS0.00501EPSS
Exploits1References3
NVD
NVD
added 2026/07/09 10:17 p.m.7 views

CVE-2026-39243

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...

5.5CVSS0.00248EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/07/09 9:16 p.m.6 views

CVE-2026-59871

A flaw was found in node-tar, a library for manipulating tar archives in Node.js. This vulnerability occurs when the library incorrectly converts specific archive path values into numbers, leading to an error during subsequent path processing. An attacker could exploit this to cause the applicati...

7.5CVSS5.9AI score0.00358EPSS
Exploits1References6
Snyk
Snyk
added 2026/07/09 8:52 p.m.4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the restore process. An attacker can execute arbitrary shell commands as the application user by crafting a malicious backup archive containing specially named files that are processed during restoration. Remediati...

8.6CVSS6.3AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/07/09 8:27 p.m.7 views

CVE-2026-53655

A flaw was found in node-tar. This vulnerability arises because node-tar incorrectly applies PAX extended header size records to subsequent intermediary metadata headers, leading to a desynchronization of the tar stream cursor compared to other standard tar implementations. A remote attacker coul...

6.9CVSS5.9AI score0.00107EPSS
Exploits1References4
NVD
NVD
added 2026/07/09 7:17 p.m.10 views

CVE-2026-58198

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract uses a predictable home-rooted output directory /ubuntudata/ubuntudialogs with a check-then-create pattern followed by tar.extractallpath=self.datapath, allowing a...

5.5CVSS0.00095EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/09 6:32 p.m.9 views

EUVD-2026-42685

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract uses a predictable home-rooted output directory /ubuntudata/ubuntudialogs with a check-then-create pattern followed by tar.extractallpath=self.datapath, allowing a...

5.5CVSS5.9AI score0.00095EPSS
Exploits0References4
OSV
OSV
added 2026/07/09 12:55 p.m.3 views

OESA-2026-2972 gzip security update

gzip is a single-file/stream lossless data compression utility, where the resulting compressed file generally has the suffix .gz. Security Fixes: GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the...

7.5CVSS6.2AI score0.00294EPSS
Exploits0References3
OSV
OSV
added 2026/07/09 12:49 p.m.5 views

OESA-2026-2887 libarchive security update

is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use . Security...

7.5CVSS6AI score0.0035EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/07/09 10:4 a.m.16 views

CVE-2026-59820

A flaw was found in LiteLLM, a proxy server for Large Language Model LLM APIs. An authenticated user, with specific API route access, could upload a specially crafted skill archive. This archive, containing path traversal entries, would allow files to be written outside of the designated extracti...

8.1CVSS6AI score0.00313EPSS
Exploits0References7
CVE
CVE
added 2026/07/09 12:0 a.m.13 views

CVE-2026-39246

The connected documents confirm a concrete vulnerability in the decompression tool: before v4.2.2, symlink entries (type === 'symlink') pass the archive’s x.linkname directly to fs.symlink() without validation. The existing preventWritingThroughSymlink check only applies to file entries, not syml...

7.5CVSS6.1AI score0.00501EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.7 views

PT-2026-56970

Name of the Vulnerable Software and Affected Versions decompress versions prior to 4.2.2 Description An issue exists during archive extraction where the software allows arbitrary symlink creation. When processing symlink entries, the x.linkname field from the archive is passed directly to the...

7.5CVSS6.2AI score0.00501EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/07/09 12:0 a.m.30 views

CVE-2026-39243

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...

0.00248EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/07/09 12:0 a.m.30 views

CVE-2026-39246

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries type === 'symlink', the x.linkname field from the archive is passed directly to fs.symlink without validation index.js line 121. The preventWritingThroughSymlink check on line 98...

0.00501EPSS
Exploits1References3
CVE
CVE
added 2026/07/09 12:0 a.m.8 views

CVE-2026-39243

The CVE-2026-39243 entry concerns decompress before 4.2.2, where archive extraction can create arbitrary hardlinks. During processing of hardlink entries (type === 'link'), the x.linkname field is passed directly to fs.link() without validation, enabling an attacker to craft an archive whose hard...

5.5CVSS6.1AI score0.00248EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/09 12:0 a.m.7 views

CVE-2026-39243

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...

5.5CVSS6.1AI score0.00248EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/07/09 12:0 a.m.8 views

CVE-2026-39246

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries type === 'symlink', the x.linkname field from the archive is passed directly to fs.symlink without validation index.js line 121. The preventWritingThroughSymlink check on line 98...

7.5CVSS6.1AI score0.00501EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/07/09 12:0 a.m.9 views

Alibaba Cloud Linux 3 : 0185: perl-Archive-Tar (ALINUX3-SA-2026:0185)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2026:0185 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-42496: Archive::Tar versions before 3.08 f...

9.1CVSS6.2AI score0.0043EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.8 views

PT-2026-56968

Name of the Vulnerable Software and Affected Versions decompress versions prior to 4.2.2 Description An issue exists during archive extraction where arbitrary hardlink creation is possible. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly ...

5.5CVSS6.2AI score0.00248EPSS
Exploits1References6
Snyk
Snyk
added 2026/07/08 10:39 p.m.10 views

Directory Traversal

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Directory Traversal via path traversal in the skill archive extraction logic in SkillPromptInjectionHandler and SkillsSandboxExecutor. An authenticated user with access to...

6.8CVSS6.5AI score0.00313EPSS
Exploits0References2
Rows per page
Query Builder