2873 matches found
Ligeo Archives Ligeo Basics - Server Side Request Forgery
Ligeo Archives Ligeo Basics as of 0201-2022 is vulnerable to Server Side Request Forgery SSRF which allows an attacker to read any documents via the download features. id: CVE-2021-46107 info: name: Ligeo Archives Ligeo Basics - Server Side Request Forgery author: ritikchaddha severity: high...
CVE-2026-43637
Cornac before 2.6.0 is affected by a path traversal (Tar Slip) in the _extract_archive() function (cornac/utils/download.py). The vulnerability allows an attacker to write arbitrary files outside the intended cache directory by supplying crafted TAR archives with ../ sequences, absolute paths, or...
CVE-2026-43637 Cornac < 2.6.0 Path Traversal via _extract_archive() in download.py
Cornac before 2.6.0 contains a path traversal Tar Slip vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the extractarchive function in...
Linux Distros Unpatched Vulnerability : CVE-2026-58052
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - 7-Zip for Windows through 26.01 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an...
EUVD-2026-42955
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's seven in-house IInArchive handlers in NanaZip.Codecs unconditionally dereference the caller-supplied Indices array inside Extract when the archive engine signals extract everything by passin...
CVE-2026-59875
A flaw was found in node-tar, a library for manipulating tar archives in Node.js. A remote attacker could craft a malicious archive containing null characters NUL bytes in its metadata. When this archive is processed, the unstripped null characters can cause the application to terminate...
DEBIAN-CVE-2026-55195
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expan...
CVE-2026-59820
LiteLLM is a proxy AI gateway. A path traversal flaw existed in LiteLLM Skills archive extraction prior to version 1.83.7-stable, where uploaded skill ZIPs could write outside the intended extraction directory when an authenticated user accessed LLM API routes or held a key with /v1/skills, anthr...
DEBIAN-CVE-2026-59875
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is...
CVE-2026-14966
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted...
EUVD-2026-42295
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted...
CVE-2026-14966 Symlink guard bypass in unarchive module allows planting symlinks during extraction
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted...
[SECURITY] Fedora 43 Update: python-fastar-0.11.0-7.fc43
The fastar library wraps the Rust tar, flate2, and zstd crates, providing a high-performance way to work with compressed and uncompressed tar archives in Python...
PT-2026-56543
Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.7-stable Description LiteLLM, a proxy server used to call LLM APIs, contains a flaw in its Skills archive extraction process. An authenticated user with access to the LLM API routes or a key permitted to use...
pip: pip: Incorrect file installation due to improper archive handling
A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect'...
Decompress: Archive extraction can create files and links outside of the target directory
Impact When extracting an archive to a directory, a crafted archive can read or write files outside that directory. The flaw is in the code that writes the parsed entries, so it affects every format decompress handles: tar, tar.gz, tar.bz2, and zip by default, plus any others added through the...
Directory Traversal
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Directory Traversal and link following during archive extraction, where symlink and hardlink entries are created without checking their targets and the directory...
python: Python tarfile module: Denial of Service via improper EOF handling in streaming mode
A flaw was found in the Python tarfile module. When processing a specially crafted tar archive opened in 'streaming mode' mode='r|', the module does not properly handle the end-of-file EOF condition. This can cause the tarfile module to enter an infinite loop, leading to a Denial of Service DoS f...
CVE-2026-12252 Untrusted JAR Code Execution in Multiple Stanford Interface Classes in nltk/nltk
In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...
UBUNTU-CVE-2026-20243
A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in ALZ...