CVE-2026-43637
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-22
Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
15/07/2026
Última modificación:
15/07/2026
Descripción
*** Pendiente de traducción *** Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.
Impacto
Puntuación base 4.0
8.80
Gravedad 4.0
ALTA
Puntuación base 3.x
9.10
Gravedad 3.x
CRÍTICA



