CVE-2026-26960

EUVD-2026-8399
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
isaacstar
𝑥
< 7.5.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-tar
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
6.0.5+ds1+~cs11.3.9-1+deb11u3
fixed
forky
6.2.1+ds1+~cs6.1.13-10
fixed
sid
7.5.16+~4.0.1-2
fixed
trixie
6.2.1+~cs7.0.8-1+deb13u1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nodejs20
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-debuginfo
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-debugsource
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-devel
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-docs
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-full-i18n
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-libs
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-libs-debuginfo
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.2
fixed
nodejs20-npm
Amazon Linux 2023
1:10.8.2-1.20.20.1.1.amzn2023.0.2
fixed
nodejs22
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-debuginfo
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-debugsource
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-devel
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-docs
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-full-i18n
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-libs
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-libs-debuginfo
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.1
fixed
nodejs22-npm
Amazon Linux 2023
1:10.9.4-1.22.22.1.1.amzn2023.0.1
fixed
nodejs24
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-debuginfo
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-debugsource
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-devel
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-docs
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-full-i18n
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-libs
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-libs-debuginfo
Amazon Linux 2023
1:24.14.1-1.amzn2023.0.1
fixed
nodejs24-npm
Amazon Linux 2023
1:11.11.0-1.24.14.1.1.amzn2023.0.1
fixed
v8-11.3-devel
Amazon Linux 2023
3:11.3.244.8-1.20.20.1.1.amzn2023.0.2
fixed
v8-12.4-devel
Amazon Linux 2023
3:12.4.254.21-1.22.22.1.1.amzn2023.0.1
fixed
v8-13.6-devel
Amazon Linux 2023
3:13.6.233.17-1.24.14.1.1.amzn2023.0.1
fixed