CVE-2026-43637
Severity CVSS v4.0:
HIGH
Type:
CWE-22
Path Traversal
Publication date:
15/07/2026
Last modified:
15/07/2026
Description
Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.
Impact
Base Score 4.0
8.80
Severity 4.0
HIGH
Base Score 3.x
9.10
Severity 3.x
CRITICAL



