13 matches found
EUVD-2026-37812
BBOT: Path traversal Zip-Slip in unarchive module - incomplete fix for CVE-2025-10284...
CVE-2026-12565
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
CVE-2026-12565 Path Traversal (Zip-Slip) in unarchive module
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
CVE-2026-12565
The CVE-2026-12565 entry concerns the unarchive module’s archive extraction commands, which perform no path validation and rely on external tools (notably GNU tar) whose behavior varies by platform. On systems using GNU tar < 1.34 (e.g., Ubuntu 20.04, Debian Buster, CentOS 7, and many Docker b...
PT-2026-50560
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The unarchive internal module's archive extraction commands lack code-level validation for extracted file paths. This causes the module to rely on the behavior o...
CVE-2026-50567
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result...
Directory Traversal
Overview bbot is an OSINT automation for hackers. Affected versions of this package are vulnerable to Directory Traversal via unarchive.py. An attacker can execute arbitrary code by supplying a specially crafted archive file that, when extracted, writes files to arbitrary locations on the file...
CVE-2025-10284
BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution...
CVE-2025-10284 Improper Archive Extraction in unarchive Enables RCE
BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution...
CVE-2025-10284
BBOT’s unarchive.py is vulnerable to arbitrary file write and remote code execution when extracting crafted archives, due to insufficient sanitization of archive entry paths (path traversal/Zip-Slip-like behavior). The CVE description and multiple sources (NVD/NVD entry, Red Hat advisory, GHSA, a...
CVE-2025-10284 Improper Archive Extraction in unarchive Enables RCE
BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution...
PT-2025-41397
Name of the Vulnerable Software and Affected Versions BBOT affected versions not specified Description The unarchive module in BBOT is susceptible to exploitation through the use of malicious archive files. When these files are extracted, they can trigger arbitrary file writes, potentially leadin...
Ansible: modules which use files encrypted with vault are not properly cleaned up
A flaw was found on Ansible Engine when using modules which decrypts vault files such as assemble, script, unarchive, wincopy, awss3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root...