CVE-2026-29509
Severity CVSS v4.0:
MEDIUM
Type:
CWE-22
Path Traversal
Publication date:
26/06/2026
Last modified:
27/06/2026
Description
Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
5.40
Severity 3.x
MEDIUM



