Atlassian Jira Service Management Data Center and Server 5.15.2 < 10.3.18 / 10.4.x < 11.3.3 (JSDSERVER-16528)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16528 advisory. - node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link...

tar has Hardlink Path Traversal via Drive-Relative Linkpath

Summary tar npm can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Details The extraction logic in UnpackSTRIPABSOLUTEPATH chec...

Important: nodejs24

Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...

Important: nodejs20

Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...

Symlink Poisoning

node-tar is vulnerable to Symlink Poisoning. The vulnerability is due to insufficient sanitization of hardlink and symlink linkpath values during archive extraction, where malicious tar entries can bypass the extraction root restriction and overwrite arbitrary files or create dangerous symlinks...

CVE-2026-23745

A flaw was found in the node-tar library. This vulnerability allows an attacker to craft malicious archives that, when extracted, can bypass intended security restrictions. This leads to arbitrary file overwrite and symlink poisoning, potentially allowing unauthorized modification of files on the...

Exploit for CVE-2026-23745

CVE-2026-23745: node-tar Arbitrary File Overwrite Research:...

Linux Distros Unpatched Vulnerability : CVE-2026-23745

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false...

DEBIAN-CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745 node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745

node-tar (Tar for Node.js) vulnerability CVE-2026-23745: the library fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false, allowing bypass of extraction root restrictions and leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning ...

Directory Traversal

Overview org.webjars.npm:tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Directory Traversal via insufficient sanitization of the linkpath parameter during archive extraction. An attacker can overwrite arbitrary files or create malicious symbolic links ...

GHSA-8QQ5-RM4J-MR97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Summary The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and...

Directory Traversal

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Directory Traversal via insufficient sanitization of the linkpath parameter during archive extraction. An attacker can overwrite arbitrary files or create malicious symbolic links by crafting a ta...

PT-2026-3329

Name of the Vulnerable Software and Affected Versions node-tar versions = 7.5.2 Description The node-tar library fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false, which is the default secure behavior. This allows malicious archives to bypass...

Malicious code in linkpath-paypal (npm)

The package linkpath-paypal was found to contain malicious code...