300 matches found
EUVD-2026-36631
Heap buffer out-of-bounds write vulnerability in Avira Antivirus engine when scanning a malformed POSIX tar archive may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before...
libarchive: Buffer Overflow vulnerability in libarchive
A flaw was found in the libarchive package. Affected versions of libarchive do not check a strftime return value, which can lead to a denial of service or unspecified other impacts via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be...
CVE-2026-39306
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../...
CVE-2026-43623
microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the rawtoheader function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy to copy...
CVE-2026-44788 SharpCompress: Directory traversal via directory entries in WriteToDirectory (zip slip variant)
SharpCompress is a fully managed C library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be...
EUVD-2026-32013
SharpCompress is a fully managed C library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be...
Astra Linux - уязвимость в cpio
In all versions of cpio before 2.13, input files are not properly validated when generating TAR archives. When cpio is used to create TAR archives from paths that attackers can access, the resulting archive may contain files with permissions that the attacker does not have, or in paths to which t...
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
A flaw was found in node-tar, a Node.js module for handling TAR archives. This vulnerability allows a remote attacker to bypass path traversal protections by crafting a malicious TAR archive. The security check for hardlink entries uses different path resolution logic than the actual hardlink...
APM – Agent Package Manager 路径遍历漏洞
APM – Agent Package Manager is an AI-based dependency management tool open sourced by Microsoft. Versions of APM prior to 0.13.0 contained a path traversal vulnerability. This vulnerability stemmed from a Windows-specific archive extraction boundary failure. When using apm install with Python 3.1...
GHSA-6C8G-7P36-R338 SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant)
Summary A path traversal vulnerability in IArchive.WriteToDirectory allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
PT-2026-39297
Name of the Vulnerable Software and Affected Versions SharpCompress affected versions not specified Description A path traversal issue exists in the IArchive.WriteToDirectory method, specifically within the WriteToDirectoryInternal and WriteToDirectoryAsyncInternal functions. This allows a...
CLSA-2026-1777049076 tar: Fix of CVE-2019-9923
CVE-2019-9923: fix possible NULL dereference in paxdecodeheader...
pip doesn't reject concatenated ZIP and tar archives
...
pip 安全漏洞
pip is a Python package installer developed by the Python Packaging Authority. There is a security vulnerability in pip, which stems from treating connected tar and ZIP files as ZIP files. This vulnerability may lead to confusing installation behaviors...
PT-2026-33775
Name of the Vulnerable Software and Affected Versions pip affected versions not specified Description pip processes concatenated tar and ZIP files exclusively as ZIP files, ignoring the filename or the fact that the file contains both archive types. This behavior can lead to the installation of...
CVE-2026-40491
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives. Those who depend on modules or...
CVE-2026-40157
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmdunpack in the recipe CLI extracts .praison tar archives using raw tar.extract without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who...
Directory Traversal
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal in the safeextractall function. An attacker can write files outside the intended extraction directory by crafting a malicious tar archiv...