CVE-2026-7774

Severity CVSS v4.0:
MEDIUM
Type:
CWE-22 Path Traversal
Publication date:
04/06/2026
Last modified:
07/07/2026

Description

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.