Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7774

Summary
Assigner-PSF
Assigner Org ID-28c92f92-d60d-412d-b760-e73465c3df22
Published At-04 Jun, 2026 | 14:21
Updated At-04 Jun, 2026 | 14:34
Rejected At-
Credits

tarfile.data_filter path traversal bypass allows writing outside the extraction directory

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:PSF
Assigner Org ID:28c92f92-d60d-412d-b760-e73465c3df22
Published At:04 Jun, 2026 | 14:21
Updated At:04 Jun, 2026 | 14:34
Rejected At:
▼CVE Numbering Authority (CNA)
tarfile.data_filter path traversal bypass allows writing outside the extraction directory

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Affected Products
Vendor
Python Software FoundationPython Software Foundation
Product
CPython
Repo
https://github.com/python/cpython
Modules
  • tarfile
Default Status
unaffected
Versions
Affected
  • From 0 before 3.15.0 (python)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22
Type: CWE
CWE ID: CWE-22
Description: CWE-22
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
Phùng Siêu Đạt (OPSWAT Unit 515)
coordinator
Seth Larson (https://github.com/sethmlarson)
remediation developer
Gregory P. Smith (https://github.com/gpshead)
remediation developer
Petr Viktorin (https://github.com/encukou)
coordinator
Stan Ulbrych (https://github.com/StanFromIreland)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/python/cpython/pull/149487
patch
https://github.com/python/cpython/issues/149486
issue-tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/
vendor-advisory
Hyperlink: https://github.com/python/cpython/pull/149487
Resource:
patch
Hyperlink: https://github.com/python/cpython/issues/149486
Resource:
issue-tracking
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/
Resource:
vendor-advisory
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@python.org
Published At:04 Jun, 2026 | 16:16
Updated At:04 Jun, 2026 | 16:40

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-22Secondarycna@python.org
CWE ID: CWE-22
Type: Secondary
Source: cna@python.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/python/cpython/issues/149486cna@python.org
N/A
https://github.com/python/cpython/pull/149487cna@python.org
N/A
https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/cna@python.org
N/A
Hyperlink: https://github.com/python/cpython/issues/149486
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/pull/149487
Source: cna@python.org
Resource: N/A
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/
Source: cna@python.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2026-3087
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-6||MEDIUM
EPSS-0.08% / 23.27%
||
7 Day CHG+0.01%
Published-27 Apr, 2026 | 20:46
Updated-04 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Action-Not Available
Vendor-Microsoft CorporationPython Software Foundation
Product-windowspythonCPython
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-4517
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-9.4||CRITICAL
EPSS-0.40% / 61.17%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 12:58
Updated-21 Apr, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary writes via tarfile realpath overflow

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Action-Not Available
Vendor-Python Software Foundation
Product-CPython
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-4330
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.01% / 77.46%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 12:58
Updated-21 Apr, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Extraction filter bypass for linking outside extraction directory

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Action-Not Available
Vendor-Python Software Foundation
Product-CPython
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-3479
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-Not Assigned
EPSS-0.02% / 3.78%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 18:13
Updated-07 Apr, 2026 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pkgutil.get_data() does not enforce documented restrictions

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Action-Not Available
Vendor-Python Software Foundation
Product-CPython
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-12718
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.79% / 74.23%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 12:59
Updated-21 Apr, 2026 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypass extraction filter to modify file metadata outside extraction directory

Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Action-Not Available
Vendor-Python Software Foundation
Product-CPython
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-4138
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.87%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 12:59
Updated-21 Apr, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Action-Not Available
Vendor-Python Software Foundation
Product-CPython
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Details not found