Loading market data...
← Back to CVE feed

CVE-2026-29509

MEDIUM CVSS 5.4 View on NVD ↗

Description

Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Published: Jun 26, 2026 20:16 UTC Modified: Jun 27, 2026 04:17 UTC