Lucene search
K

215 matches found

CVE
CVE
added 2026/03/07 3:32 p.m.64 views

CVE-2026-29786

CVE-2026-29786 — node-tar hardlink path-traversal Affected: node-tar (Node.js tar handling) prior to version 7.5.10. Summary: tar can be tricked into creating a hardlink outside the extraction directory by using a drive-relative link target (e.g., C:../target.txt), enabling file overwrite outside...

8.6CVSS5.7AI score0.00408EPSS
Exploits2References5Affected Software1
OSV
OSV
added 2026/03/07 3:32 p.m.3 views

CVE-2026-29786 node-tar: Hardlink Path Traversal via Drive-Relative Linkpath

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Th...

8.2CVSS5.7AI score0.00408EPSS
Exploits2References7
ATTACKERKB
ATTACKERKB
added 2026/03/07 3:32 p.m.4 views

CVE-2026-29786

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Th...

8.2CVSS5.7AI score0.00408EPSS
Exploits2References3Affected Software1
CNNVD
CNNVD
added 2026/03/07 12:0 a.m.10 views

node-tar 后置链接漏洞

node-tar is a software package for file compression/decompression developed by isaacs. Versions of node-tar prior to 7.5.10 had a post-installation link vulnerability. This vulnerability stemmed from the possibility of creating hard links pointing outside the extraction directory, which could lea...

8.2CVSS6.5AI score0.00408EPSS
Exploits2References2
GithubExploit
GithubExploit
added 2026/03/05 10:53 p.m.255 views

Exploit for CVE-2026-29786

CVE-2026-29786 Research: Joshua van Rijswijkhttps://gi...

6AI score0.00408EPSS
Exploits2
CVE
CVE
added 2026/03/05 9:59 p.m.16 views

CVE-2026-28453

OpenClaw before 2026.2.14 fails to validate TAR entry paths during extraction, allowing path traversal (e.g., ../../) to write files outside the extraction directory. This affects openclaw’s installation flows and could enable configuration tampering and potentially code execution. The root cause...

9.8CVSS6AI score0.00409EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/02/24 10:16 p.m.15 views

CVE-2026-27117

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability "Zip Slip" exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive...

7.5CVSS0.00309EPSS
Exploits1References4
Huntr
Huntr
added 2026/02/21 6:25 a.m.10 views

Path traversal via startswith() prefix confusion in is_path_in_dir (bypass of CVE-2025-12638 fix)

Description The ispathindir function in keras/src/utils/fileutils.py line 47-48 is a security-critical path validation function introduced as part of the fix for CVE-2025-12638. It is used by both filtersafezipinfos and filtersafetarinfos to validate that archive entries stay within the intended...

8CVSS7.2AI score0.00592EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2026/02/21 12:23 a.m.2 views

SUSE CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting use...

7.1CVSS5.8AI score0.00288EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/02/20 4:29 p.m.6 views

CVE-2026-26960

A flaw was found in node-tar. An attacker can craft a malicious archive that, when extracted with default options, creates a hardlink outside the intended extraction directory. This vulnerability allows the attacker to perform arbitrary file read and write operations as the user extracting the...

7.1CVSS5.5AI score0.00288EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/02/20 4:3 p.m.24 views

CVE-2026-2818 Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

8.2CVSS0.00272EPSS
Exploits0References1
CVE
CVE
added 2026/02/20 4:3 p.m.15 views

CVE-2026-2818

CVE-2026-2818 describes a zip-slip path traversal in Spring Data Geode’s import snapshot functionality, affecting Windows environments. The issue allows writing files outside the intended extraction directory during snapshot extraction, with impact described as confidentiality: Low , integrity: H...

8.2CVSS5.5AI score0.00272EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/02/20 1:7 a.m.7 views

CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting use...

7.1CVSS5.7AI score0.00288EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.9 views

Spring Data Geode 安全漏洞

Spring Data Geode is a software developed by Spring for configuring, operating, and accessing distributed data management systems. There is a security vulnerability in Spring Data Geode, which stems from a Zip Slip path traversal vulnerability in the import snapshot function. This vulnerability...

8.2CVSS5.8AI score0.00272EPSS
Exploits0References1
OSV
OSV
added 2026/02/11 9:16 p.m.4 views

DEBIAN-CVE-2026-26158

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to...

7CVSS7.2AI score0.0016EPSS
Exploits0References1
OSV
OSV
added 2026/02/11 9:16 p.m.5 views

AZL-77606 CVE-2026-26158 affecting package busybox for versions less than 1.35.0-17

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to...

7CVSS7.1AI score0.0016EPSS
Exploits0References1
OSV
OSV
added 2026/02/11 9:16 p.m.5 views

AZL-77613 CVE-2026-26158 affecting package busybox for versions less than 1.36.1-22

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to...

7CVSS5.7AI score0.0016EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/02/11 9:16 p.m.4 views

CVE-2026-26158

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to...

7CVSS7AI score0.0016EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/11 6:55 p.m.3 views

Relative Path Traversal

Overview nanotar is a Tiny and fast Tar utils for any JavaScript runtime! Affected versions of this package are vulnerable to Relative Path Traversal via the parseTar or parseTarGzip functions. An attacker can write arbitrary files outside the intended extraction directory by supplying a speciall...

9.8CVSS5.8AI score0.00841EPSS
Exploits2References2
Github Security Blog
Github Security Blog
added 2026/02/11 6:31 p.m.13 views

nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

nanotar through 0.2.0 has a path traversal vulnerability in parseTar and parseTarGzip that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence...

9.8CVSS5.8AI score0.00841EPSS
Exploits2References5Affected Software1
Rows per page
Query Builder