Lucene search
K

176 matches found

OSV
OSV
added 6 days ago7 views

BIT-PYTHON-MIN-2026-4360 Tarfile.extract() doesn't fully respect filter parameter

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.3CVSS5.9AI score0.00235EPSS
Exploits0References9
OSV
OSV
added 6 days ago8 views

BIT-PYTHON-2026-4360 Tarfile.extract() doesn't fully respect filter parameter

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.3CVSS5.9AI score0.00235EPSS
Exploits0References9
OSV
OSV
added last week6 views

PYSEC-2026-1567 LlamaIndex vulnerability in its ObsidianReader class can lead to Path Traversal exploit

A vulnerability in the ObsidianReader class of the run-llama/llamaindex repository, before version 0.5.2 specifically in version 0.12.27 of llama-index, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as...

6.2CVSS5.9AI score0.0029EPSS
Exploits1References6
OSV
OSV
added 2026/07/06 8:27 p.m.4 views

GHSA-MP2F-45PM-3CG9 Decompress: Archive extraction can create files and links outside of the target directory

Impact When extracting an archive to a directory, a crafted archive can read or write files outside that directory. The flaw is in the code that writes the parsed entries, so it affects every format decompress handles: tar, tar.gz, tar.bz2, and zip by default, plus any others added through the...

9.1CVSS6AI score
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/07/02 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-4360

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted...

5.3CVSS6.1AI score0.00235EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/01 9:48 p.m.4 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...

7.1CVSS6AI score
Exploits0References3
NVD
NVD
added 2026/06/30 3:16 p.m.8 views

CVE-2026-4360

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.3CVSS0.00235EPSS
Exploits0References8
OSV
OSV
added 2026/06/30 3:16 p.m.4 views

UBUNTU-CVE-2026-4360

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.3CVSS5.8AI score0.00235EPSS
Exploits0References9
OSV
OSV
added 2026/06/30 2:45 p.m.3 views

CVE-2026-4360 Tarfile.extract() doesn't fully respect filter parameter

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

2CVSS5.9AI score0.00235EPSS
Exploits0References11
OSV
OSV
added 2026/06/30 2:45 p.m.7 views

PSF-2026-32

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.3CVSS5.8AI score0.00235EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/30 2:45 p.m.67 views

CVE-2026-4360 Tarfile.extract() doesn't fully respect filter parameter

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

2CVSS0.00235EPSS
Exploits0References8
Debian CVE
Debian CVE
added 2026/06/30 2:45 p.m.5 views

CVE-2026-4360

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.3CVSS5.8AI score0.00235EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/30 2:45 p.m.8 views

CVE-2026-4360 Tarfile.extract() doesn't fully respect filter parameter

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

2CVSS5.8AI score0.00235EPSS
Exploits0References8
CVE
CVE
added 2026/06/30 2:45 p.m.26 views

CVE-2026-4360

Summary of CVE-2026-4360 (mode C) The issue concerns Python’s tarfile TarFile.extract() where the filter parameter is not correctly applied when extracting hardlinks. The vulnerability can allow an affected system that processes tar files from untrusted sources to write files with an unexpected u...

5.3CVSS5.8AI score0.00235EPSS
Exploits0References8Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53894

Name of the Vulnerable Software and Affected Versions Python affected versions not specified Description In the extract function of the Tarfile module, the filter parameter is not correctly handled when extracting hardlinks. This issue allows a system extracting content from untrusted tar files t...

2CVSS6AI score0.00235EPSS
Exploits0References19
Cvelist
Cvelist
added 2026/06/23 4:4 p.m.74 views

CVE-2026-11940 tarfile extraction filter bypass allows escaping the destination directory

tarfile.extractall with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower...

7.8CVSS0.00613EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/06/18 12:0 a.m.7 views

Siemens RUGGEDCOM RST2428P External Control of File Name or Path (CVE-2026-26158)

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to...

7CVSS7.1AI score0.0016EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/05/27 12:0 a.m.36 views

Linux Distros Unpatched Vulnerability : CVE-2026-42497

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. makespecialfile passes the tar...

7.5CVSS5.9AI score0.00417EPSS
Exploits0References4
NVD
NVD
added 2026/05/26 2:16 a.m.17 views

CVE-2026-42497

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. makespecialfile passes the tar header's linkname to link without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode...

7.5CVSS0.00417EPSS
Exploits0References3
OSV
OSV
added 2026/05/26 2:16 a.m.8 views

DEBIAN-CVE-2026-42497

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. makespecialfile passes the tar header's linkname to link without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode...

7.5CVSS5.8AI score0.00417EPSS
Exploits0References1
Rows per page
Query Builder