Astra Linux - уязвимость в grub2

A flaw was discovered in grub2. When reading tar files, grub2 allocates an internal buffer for the file name. However, it fails to properly verify the allocation against possible integer overflows. It’s possible to cause the allocation length to overflow with a specially crafted tar file, resulti...

CVE-2026-3219

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds wit...

SUSE-SU-2026:20134-1 Security update for busybox

This update for busybox fixes the following issues: Security fixes: - CVE-2025-60876: HTTP request header injection in wget bsc1253245. - CVE-2025-46394: Fixed tar hidden files via escape sequence bsc1241661. Other fixes: - Set CONFIGFIRSTSYSTEMID to 201 to avoid confclict bsc1236670 - Fix unshar...

CVE-2026-23644

esm.sh is a no-build content delivery network CDN for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. path.Clean normalizes a path but does not prevent absolute paths in a malicious tar file...

PT-2026-3403

Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 0.0.0-20260116051925-c62ab83c589e Description esm.sh is a content delivery network for web development. Versions prior to pseudoversion 0.0.0-20260116051925-c62ab83c589e contain a path traversal issue. The issue stems...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality [CVE-2025-59343]

Summary Node.js module tar-fs is used by IBM App Connect Enterprise Certified Container for processing tar files and streams. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported...

EUVD-2021-25568

Malware in sbrugna...

EUVD-2006-1327

Malware in sbrugna...

EUVD-2008-7103

Malware in sbrugna...

EUVD-2009-1269

Malware in sbrugna...

EUVD-2024-1952

Malicious code in bioql PyPI...

EUVD-2025-7031

Malicious code in bioql PyPI...

EUVD-2025-6946

Malicious code in bioql PyPI...

GHSA-VJ76-C3G6-QR5V tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball

Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. js ignore , header // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory...

Linux Distros Unpatched Vulnerability : CVE-2024-7776

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in the downloadmodel function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to...

Vim has path traversial issue with tar.vim and special crafted tar files

...

Path Traversal

Aim is vulnerable to Path Traversal. The vulnerability is due to missing path validation due to the extraction of crafted backup tar files in the restorerunbackup function without validating file paths, allowing remote attackers to write arbitrary files to the server's filesystem...

CVE-2025-53905

CVE-2025-53905 affects Vim where, prior to version 9.1.1552, the tar.vim plugin is vulnerable to a path traversal in crafted tar archives. This can allow overwriting arbitrary files when a user opens such archives; exploitation is feasible only with user interaction. Affected behavior includes po...

python: cpython: Arbitrary writes via tarfile realpath overflow

A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall or TarFile.extract methods with the extraction filter parameter set to "data" or "tar"...

CVE-2025-32799

CVE-2025-32799 affects conda-build prior to 25.4.0, where tar entry path sanitization allows path traversal (Tarslip) in created/extracted archives. Attacks could overwrite files outside the extraction directory, potentially leading to privilege escalation or code execution. A fix is available in...