Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-7774
PUBLISHED
More InfoOfficial Page
Assigner-PSF
Assigner Org ID-28c92f92-d60d-412d-b760-e73465c3df22
View Known Exploited Vulnerability (KEV) details
Published At-04 Jun, 2026 | 14:21
Updated At-04 Jun, 2026 | 17:27
Rejected At-
▼CVE Numbering Authority (CNA)
tarfile.data_filter path traversal bypass allows writing outside the extraction directory

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Affected Products
Vendor
Python Software FoundationPython Software Foundation
Product
CPython
Repo
https://github.com/python/cpython
Modules
  • tarfile
Default Status
unaffected
Versions
Affected
  • From 0 before 3.15.0 (python)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22
Type: CWE
CWE ID: CWE-22
Description: CWE-22
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
Phùng Siêu Đạt (OPSWAT Unit 515)
coordinator
Seth Larson (https://github.com/sethmlarson)
remediation developer
Gregory P. Smith (https://github.com/gpshead)
remediation developer
Petr Viktorin (https://github.com/encukou)
coordinator
Stan Ulbrych (https://github.com/StanFromIreland)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/python/cpython/pull/149487
patch
https://github.com/python/cpython/issues/149486
issue-tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/
vendor-advisory
Hyperlink: https://github.com/python/cpython/pull/149487
Resource:
patch
Hyperlink: https://github.com/python/cpython/issues/149486
Resource:
issue-tracking
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found