Loading market data...
← Back to CVE feed

CVE-2026-7774

UNKNOWN View on NVD ↗

Description

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Published: Jun 04, 2026 16:16 UTC Modified: Jun 04, 2026 20:16 UTC