ALPINE-CVE-2025-4517

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...

CVE-2025-4435 Tarfile extracts filtered members when errorlevel=0

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped...

PSF-2025-7

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

Python 安全漏洞

Python is an open source, object-oriented programming language from the Python Foundation. The language is extensible, supports modules and packages, and supports multiple platforms. A security vulnerability exists in Python 3.12 and later, which stems from an extract filter that can be ignored a...

Python 安全漏洞

Python is an open source, object-oriented programming language from the Python Foundation. The language is extensible, supports modules and packages, and supports multiple platforms. A security vulnerability exists in Python 3.12 and later, which stems from an extract filter that can be ignored a...

DEBIAN-CVE-2025-48387

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore n...

Improper Link Resolution Before File Access ('Link Following')

Overview org.webjars.npm:tar-fs is a filesystem bindings for tar-stream. Affected versions of this package are vulnerable to Improper Link Resolution Before File Access 'Link Following' through the exports.extract function. An attacker can manipulate the path of extracted files to write outside t...

CVE-2025-48387 tar-fs has issue where extract can write outside the specified dir with a specific tarball

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore n...

CVE-2024-47877

Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4...

CVE-2024-55587

python-libarchive through 4.2.1 allows directory traversal to create files in extract in zip.py for ZipFile.extractall and ZipFile.extract...

CVE-2023-48090

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in extractattributes mediatools/m3u8.c:329...

CVE-2023-0159

The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may ...

CVE-2022-4063

The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers...

CVE-2021-39208

SharpCompress is a fully managed C library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to...

CVE-2021-35958

TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.getfile is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.getfile is not intended for untrusted archives...

Oracle Linux 9 : rpm-ostree (ELSA-2025-7147)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2025-7147 advisory. 2025.5-1 - Rebase to 2025.5 Resolves: RHEL-78697 2025.4-1 - Rebase to 2025.4 Resolves: RHEL-68131 2025.3-1 - Rebase to 2025.3 Resolves: RHEL-68131 2025.2-1 -...

CVE-2025-46578

There are SQL injection vulnerabilities in multiple interfaces of the GoldenDB database product. Attackers can exploit these interfaces to inject commands and extract sensitive database information...

CVE-2025-46577

GoldenDB (ZTE) is affected by a SQL injection vulnerability where the application does not validate externally supplied SQL statements, enabling an attacker to execute arbitrary SQL and potentially exfiltrate data. Affected component: GoldenDB database product; root cause: lack of input validatio...

CVE-2024-12216

A vulnerability in the ImageClassificationDataset.fromcsv API of the dmlc/gluon-cv repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts tar.gz files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can...

adclaw (>=1.0.0 <=1.0.4), agentjet (=0.0.1) +24 more potentially affected by CVE-2024-8487 via agentscope (>=0.1.0 <=1.0.7)

agentscope PYPI version =0.1.0, =1.0.0, =0.3.0, =0.1.0, =0.2.0, =0.1.5, =1.0.0.post2, =0.1.0, =0.1.0, =0.1.0.post1, =0.2.0, =0.4.0, =0.1.6, =0.1.84 and more Source cves: CVE-2024-8487 Source advisory: SNYK:PYTHON-AGENTSCOPE-9511372...