CVE-2026-7774 – tarfile.data_filter path traversal bypass allows writing outside the extraction directory

CVE ID :CVE-2026-7774

Published : June 4, 2026, 4:16 p.m. | 16 minutes ago

Description :tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Severity: 6.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-50292 – libinput: Arbitrary Root Code Execution via Device Group udev Property Injection

CVE-2026-48040 – netty-incubator-codec-ohttp’s Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access

CVE-2026-41207 – netty-incubator-codec-ohttp’s HPKEContext operations may produce empty byte[] on failures

CVE-2026-25551 – Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service