Lucene search
K

391 matches found

Tenable Nessus
Tenable Nessus
added 2026/05/04 12:0 a.m.10 views

RHCOS 3 : OpenShift Container Platform 3.3 (RHSA-2018:1239)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:1239 advisory. - source-to-image: Improper path sanitization in ExtractTarStreamFromTarReader in tar/tar.go CVE-2018-1102 Note that Nessus has not tested fo...

8.8CVSS7.3AI score0.02418EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/04/30 12:0 a.m.13 views

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1609)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1609 advisory. @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbound...

9.2CVSS5.7AI score0.00481EPSS
Exploits3References8
OSV
OSV
added 2026/04/29 8:45 a.m.3 views

BIT-MLFLOW-2025-15036 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in the extractarchivetodir function within the mlflow/pyfunc/dbconnectartifactcache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An...

10CVSS8.6AI score0.00587EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2026/04/29 12:0 a.m.7 views

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: python3 (UTSA-2026-015069)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-015069 advisory. There is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration APIs. The tar implementation would process tar archives with...

7.5CVSS6.8AI score0.00611EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/28 10:25 p.m.11 views

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tar-7.5.7.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in tar-7.5.7.tgz Vulnerability Details CVEID:CVE-2026-26960 DESCRIPTION: node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink insid...

7.1CVSS6.1AI score0.00288EPSS
Exploits1Affected Software1
Microsoft CVE
Microsoft CVE
added 2026/04/26 8:4 a.m.10 views

Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

...

8.7CVSS5.8AI score0.00294EPSS
Exploits0
Cvelist
Cvelist
added 2026/04/24 5:10 p.m.28 views

CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

2.3CVSS0.00294EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/24 5:10 p.m.5 views

CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

2.3CVSS5.3AI score0.00294EPSS
Exploits0References1
OSV
OSV
added 2026/04/24 5:10 p.m.2 views

CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

2.3CVSS6.2AI score0.00294EPSS
Exploits0References7
CVE
CVE
added 2026/04/24 5:10 p.m.38 views

CVE-2026-41140

CVE-2026-41140 affects Poetry (Python dependency manager). The vulnerability is in extractall(), src/poetry/utils/helpers.py:410-426, which allowed tarball extraction without path traversal protection on Python versions where tarfile.data_filter is unavailable. Affected supported Poetry/Python ra...

8.7CVSS5.3AI score0.00294EPSS
Exploits0References5
OSV
OSV
added 2026/04/22 7:6 p.m.8 views

GHSA-X2XQ-QHJF-5MVG DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

6.5CVSS5.9AI score0.00418EPSS
Exploits3References6
Github Security Blog
Github Security Blog
added 2026/04/22 7:6 p.m.9 views

DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

9.1CVSS5.9AI score0.00418EPSS
Exploits3References6Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/22 4:54 p.m.7 views

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

6.5CVSS5.8AI score0.00418EPSS
Exploits3References2
Cvelist
Cvelist
added 2026/04/22 4:54 p.m.30 views

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

6.5CVSS0.00418EPSS
Exploits3References2
OSV
OSV
added 2026/04/22 4:54 p.m.3 views

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

6.5CVSS6AI score0.00418EPSS
Exploits3References4
CVE
CVE
added 2026/04/22 4:54 p.m.21 views

CVE-2026-32885

CVE-2026-32885 (DDEV ZipSlip) affects the DDEV project prior to v1.25.2. The vulnerability resides in the archive extraction routines (pkg/archive/archive.go) for both Untar() and Unzip(), which unzip/downloaded archives from remote sources without validating the extraction path. This enables pat...

9.1CVSS5.8AI score0.00418EPSS
Exploits3References2Affected Software1
OSV
OSV
added 2026/04/22 2:35 p.m.6 views

GHSA-73H3-MF4W-8647 Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 ...

2.3CVSS5.9AI score0.00294EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/22 2:35 p.m.12 views

Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 ...

8.7CVSS5.9AI score0.00294EPSS
Exploits0References4Affected Software1
Ubuntu
Ubuntu
added 2026/04/13 12:35 p.m.9 views

USN-8168-1: Rust vulnerability

It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the...

6.5CVSS6AI score0.00379EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.6 views

PT-2026-32712

It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the...

6.5CVSS6AI score0.00379EPSS
Exploits1References3
Rows per page
Query Builder