2 matches found
@vltpkg/cli-sdk (>=0.0.0-7 <=1.0.0-rc.1), @vltpkg/config (>=0.0.0-19 <=1.0.0-rc.1) +9 more potentially affected by CVE-2026-24909 via @vltpkg/tar (>=0.0.0-0.1730239248325 <=1.0.0-rc.1)
@vltpkg/tar NPM version =0.0.0-0.1730239248325, =0.0.0-7, =0.0.0-19, =0.0.0-0.1730239248325, =0.0.0-7, =0.0.0-0.1730239248325, =0.0.0-0.1730239248325, =0.0.0-4, =0.0.0-7, =0.0.0-10, =0.0.0-26, =0.0.1, =1.2.0 Source cves: CVE-2026-24909 Source advisory: OSV:GHSA-GF2C-JWCJ-X929...
Relative Path Traversal
Overview @vltpkg/tar is an An extremely limited and very fast tar extractor Affected versions of this package are vulnerable to Relative Path Traversal via improper sanitization of file paths during the extraction process. An attacker can overwrite arbitrary files on the filesystem by crafting ta...