CVE-2026-39817

The "go tool pack" subcommand usually used only by the compiler as an internal tool with known-good inputs does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem...

Updated tar packages fix security vulnerability

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

PT-2026-48838

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

BIT-GOLANG-2026-39817 Invoking "go tool pack" does not sanitize output paths in cmd/go

The "go tool pack" subcommand usually used only by the compiler as an internal tool with known-good inputs does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem...

DEBIAN-CVE-2026-39817

The "go tool pack" subcommand usually used only by the compiler as an internal tool with known-good inputs does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem...

CVE-2026-39817

The CVE-2026-39817 issue concerns the Go tool chain: the go tool pack subcommand (used internally by the compiler) does not sanitize output filenames. This allows an attacker to craft a malicious archive that, when unpacked via pack, can write files to arbitrary locations on the filesystem. Repor...

CVE-2026-39817 Invoking "go tool pack" does not sanitize output paths in cmd/go

The "go tool pack" subcommand usually used only by the compiler as an internal tool with known-good inputs does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem...

BridgeHead FileStore 安全漏洞

BridgeHead FileStore is a medical data-oriented file storage and long-term archiving management system developed by BridgeHead Corporation in Canada. Previous versions of BridgeHead FileStore 24A contained security vulnerabilities. These vulnerabilities stemmed from the Apache Axis2 management...

CVE-2026-41245

A flaw was found in Junrar, an open-source Java RAR archive library. A path traversal vulnerability in the LocalFolderExtractor allows a remote attacker to write arbitrary files with attacker-controlled content into sibling directories. This occurs when a specially crafted RAR archive is extracte...

EUVD-2026-23642

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the removeUnusedAttributeView process. An attacker can delete arbitrary .json files within the workspace by supplying crafted path traversal sequences in the id parameter, allowing removal of files outside the...

PT-2026-31787

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safe extractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which can lead to the allocation of unlimited memory when reading malicious archives containing a lar...

libarchive 代码问题漏洞

Libarchive is an open-source multi-format archiving and compression library developed by Libarchive. There are code issues in Libarchive, specifically a vulnerability related to ACL parsing logic. This vulnerability involves null pointer dereferencing, which may cause applications to crash or...

PYSEC-2026-159

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extensio...

CVE-2026-5704

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

PT-2026-30666

Name of the Vulnerable Software and Affected Versions GNU tar affected versions not specified Description A flaw exists in GNU tar that allows a remote attacker to craft a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction...

Red Hat Enterprise Linux 10 代码问题漏洞

Red Hat Enterprise Linux 10 is a Linux operating system designed for enterprise users by the American company Red Hat. Red Hat Enterprise Linux 10 has code-related vulnerabilities, which stem from specially crafted malicious archive files. These vulnerabilities may lead to hidden file injections...

CVE-2016-20026

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP...

CVE-2026-28486

OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks instal...