Lucene search
K

52 matches found

Tenable Nessus
Tenable Nessus
added 2026/05/29 12:0 a.m.13 views

RockyLinux 10 : linux-sgx (RLSA-2026:18480)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:18480 advisory. qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-tar: Arbitrary file overwrite and symlink...

8.8CVSS5.8AI score0.01535EPSS
Exploits5References11
OSV
OSV
added 2026/05/28 3:43 p.m.14 views

RLSA-2026:18868 Important: linux-sgx security update

The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. Security Fixes: qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-ta...

8.8CVSS5.8AI score0.01535EPSS
Exploits5References6
Tenable Nessus
Tenable Nessus
added 2026/05/28 12:0 a.m.13 views

RockyLinux 9 : linux-sgx (RLSA-2026:18868)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:18868 advisory. qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-tar: Arbitrary file overwrite and symlink...

8.8CVSS7AI score0.01535EPSS
Exploits5References11
RedHat Linux
RedHat Linux
added 2026/05/19 1:54 p.m.11 views

node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives

A flaw was found in the node-tar library. This vulnerability allows an attacker to craft malicious archives that, when extracted, can bypass intended security restrictions. This leads to arbitrary file overwrite and symlink poisoning, potentially allowing unauthorized modification of files on the...

8.2CVSS6.6AI score0.00334EPSS
Exploits2References6
RedHat Linux
RedHat Linux
added 2026/05/19 9:16 a.m.10 views

node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives

A flaw was found in the node-tar library. This vulnerability allows an attacker to craft malicious archives that, when extracted, can bypass intended security restrictions. This leads to arbitrary file overwrite and symlink poisoning, potentially allowing unauthorized modification of files on the...

8.2CVSS6.6AI score0.00334EPSS
Exploits2References6
AlmaLinux
AlmaLinux
added 2026/05/19 12:0 a.m.12 views

Important: linux-sgx security update

The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. Security Fixes: qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-ta...

8.8CVSS6.5AI score0.01535EPSS
Exploits5References12
OSV
OSV
added 2026/05/19 12:0 a.m.17 views

ALSA-2026:18868 Important: linux-sgx security update

The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. Security Fixes: qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-ta...

8.8CVSS6.5AI score0.01535EPSS
Exploits5References12
Tenable Nessus
Tenable Nessus
added 2026/05/19 12:0 a.m.9 views

RHEL 9 : linux-sgx (RHSA-2026:18868)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18868 advisory. The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX...

8.8CVSS5.8AI score0.01535EPSS
Exploits5References15
Tenable Nessus
Tenable Nessus
added 2026/05/19 12:0 a.m.12 views

RHEL 10 : linux-sgx (RHSA-2026:18480)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18480 advisory. The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SG...

8.8CVSS6.7AI score0.01535EPSS
Exploits5References16
Vulnrichment
Vulnrichment
added 2026/04/21 8:57 p.m.2 views

CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

8.4CVSS5.7AI score0.00334EPSS
Exploits2References1
CVE
CVE
added 2026/04/21 8:57 p.m.22 views

CVE-2026-40931

CVE-2026-40931 affects the node module compressing up to versions 2.1.0 and 1.10.4/2.0.1 patching CVE-2026-24884. The root cause is a string-based path check in isPathWithinParent that validates resolved paths without accounting for filesystem state, enabling a Directory Poisoning bypass via pre-...

8.4CVSS5.7AI score0.00334EPSS
Exploits2References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:32 p.m.11 views

Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Executive Summary This report documents a critical security research finding in the compressing npm package specifically tested on the latest v2.1.0. The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the...

8.4CVSS6AI score0.00334EPSS
Exploits2References3Affected Software1
OSV
OSV
added 2026/04/17 9:32 p.m.6 views

GHSA-4C3Q-X735-J3R5 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Executive Summary This report documents a critical security research finding in the compressing npm package specifically tested on the latest v2.1.0. The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the...

8.4CVSS6AI score0.0024EPSS
Exploits2References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/31 1:40 p.m.6 views

Security Bulletin: Maximo AI Service uses tar-7.4.3.tgz which is vulnerable to CVE-2026-23745 and CVE-2026-23950.

Summary Maximo AI Service uses tar-7.4.3.tgz which is vulnerable to CVE-2026-23745 and CVE-2026-23950. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-23950 DESCRIPTION: node-tar,a Tar for Node.js, has a race condition...

8.8CVSS6.4AI score0.00334EPSS
Exploits3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/03/06 12:0 a.m.4 views

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1466)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1466 advisory. node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. Th...

8.8CVSS6.3AI score0.00541EPSS
Exploits4References8
Amazon
Amazon
added 2026/03/05 12:0 a.m.5 views

Important: nodejs20

Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...

8.8CVSS5.9AI score0.00334EPSS
Exploits3
Veracode
Veracode
added 2026/02/02 8:34 a.m.4 views

Race Condition

node-tar is vulnerable to a Race Condition Vulnerability. The vulnerability is due to improper handling of Unicode path collisions in the PathReservations locking mechanism on normalization-insensitive or case-insensitive filesystems, which allows an attacker to exploit race conditions using...

8.8CVSS5.8AI score0.00233EPSS
Exploits1References11Affected Software2
Veracode
Veracode
added 2026/01/21 3:7 p.m.6 views

Symlink Poisoning

node-tar is vulnerable to Symlink Poisoning. The vulnerability is due to insufficient sanitization of hardlink and symlink linkpath values during archive extraction, where malicious tar entries can bypass the extraction root restriction and overwrite arbitrary files or create dangerous symlinks...

8.2CVSS5.7AI score0.00334EPSS
Exploits2References13Affected Software1
EUVD
EUVD
added 2026/01/21 1:5 a.m.6 views

EUVD-2026-3595

Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS...

8.8CVSS5.3AI score0.00233EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/01/21 1:5 a.m.16 views

Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS

TITLE: Race Condition in node-tar Path Reservations via Unicode Sharp-S ß Collisions on macOS APFS AUTHOR: Tomás Illuminati Details A race condition vulnerability exists in node-tar v7.5.3 this is to an incomplete handling of Unicode path collisions in the path-reservations system. On...

8.8CVSS5.9AI score0.00233EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder