CVE-2026-45390

OCaml-tar prior to 3.4.0 is vulnerable to a path-traversal that permits writing outside the extraction directory when unpacking archives containing ../ segments. The root cause is Filename.concat not sanitizing paths, leading to Unix.openfile opening sensitive system files. The OSV/PTSecurity det...

PT-2026-42856

In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar1 rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the...