{"url":"http://public2.vulnerablecode.io/api/packages/14063?format=json","purl":"pkg:maven/com.github.junrar/junrar@1.0.1","type":"maven","namespace":"com.github.junrar","name":"junrar","version":"1.0.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.5.10","latest_non_vulnerable_version":"7.5.10","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163763?format=json","vulnerability_id":"VCID-bzn9-qh1r-h7dc","summary":"Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users. The problem is patched in 7.4.1. There are no known workarounds and users are advised to upgrade as soon as possible.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23596.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23596.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23596","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58656","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58544","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23596"},{"reference_url":"https://github.com/junrar/junrar","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/junrar/junrar"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2049778","reference_id":"2049778","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2049778"},{"reference_url":"https://github.com/junrar/junrar/issues/73","reference_id":"73","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:45:20Z/"}],"url":"https://github.com/junrar/junrar/issues/73"},{"reference_url":"https://github.com/junrar/junrar/commit/7b16b3d90b91445fd6af0adfed22c07413d4fab7","reference_id":"7b16b3d90b91445fd6af0adfed22c07413d4fab7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:45:20Z/"}],"url":"https://github.com/junrar/junrar/commit/7b16b3d90b91445fd6af0adfed22c07413d4fab7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23596","reference_id":"CVE-2022-23596","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23596"},{"reference_url":"https://github.com/advisories/GHSA-m6cj-93v6-cvr5","reference_id":"GHSA-m6cj-93v6-cvr5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m6cj-93v6-cvr5"},{"reference_url":"https://github.com/junrar/junrar/security/advisories/GHSA-m6cj-93v6-cvr5","reference_id":"GHSA-m6cj-93v6-cvr5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:45:20Z/"}],"url":"https://github.com/junrar/junrar/security/advisories/GHSA-m6cj-93v6-cvr5"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18899?format=json","purl":"pkg:maven/com.github.junrar/junrar@7.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vt2t-w4v7-dbhv"},{"vulnerability":"VCID-xf7w-seed-dye7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.junrar/junrar@7.4.1"}],"aliases":["CVE-2022-23596","GHSA-m6cj-93v6-cvr5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzn9-qh1r-h7dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80981?format=json","vulnerability_id":"VCID-vt2t-w4v7-dbhv","summary":"Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41245.json","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41245.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41245","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22613","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22808","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41245"},{"reference_url":"https://github.com/junrar/junrar","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/junrar/junrar"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41245","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41245"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459769","reference_id":"2459769","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459769"},{"reference_url":"https://github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7","reference_id":"d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:34:57Z/"}],"url":"https://github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7"},{"reference_url":"https://github.com/advisories/GHSA-hf5p-q87m-crj7","reference_id":"GHSA-hf5p-q87m-crj7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hf5p-q87m-crj7"},{"reference_url":"https://github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7","reference_id":"GHSA-hf5p-q87m-crj7","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:34:57Z/"}],"url":"https://github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7"},{"reference_url":"https://github.com/junrar/junrar/releases/tag/v7.5.10","reference_id":"v7.5.10","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:34:57Z/"}],"url":"https://github.com/junrar/junrar/releases/tag/v7.5.10"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374016?format=json","purl":"pkg:maven/com.github.junrar/junrar@7.5.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.junrar/junrar@7.5.10"}],"aliases":["CVE-2026-41245","GHSA-hf5p-q87m-crj7"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vt2t-w4v7-dbhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69600?format=json","vulnerability_id":"VCID-xf7w-seed-dye7","summary":"Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28208.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28208.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28208","reference_id":"","reference_type":"","scores":[{"value":"0.00211","scoring_system":"epss","scoring_elements":"0.43872","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00211","scoring_system":"epss","scoring_elements":"0.43715","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28208"},{"reference_url":"https://github.com/junrar/junrar","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/junrar/junrar"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443166","reference_id":"2443166","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443166"},{"reference_url":"https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954","reference_id":"947ff1d33f00f940aa68ae2593500291d799d954","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-02T20:47:10Z/"}],"url":"https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28208","reference_id":"CVE-2026-28208","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28208"},{"reference_url":"https://github.com/advisories/GHSA-j273-m5qq-6825","reference_id":"GHSA-j273-m5qq-6825","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j273-m5qq-6825"},{"reference_url":"https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825","reference_id":"GHSA-j273-m5qq-6825","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-02T20:47:10Z/"}],"url":"https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825"},{"reference_url":"https://github.com/junrar/junrar/releases/tag/v7.5.8","reference_id":"v7.5.8","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-02T20:47:10Z/"}],"url":"https://github.com/junrar/junrar/releases/tag/v7.5.8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39987?format=json","purl":"pkg:maven/com.github.junrar/junrar@7.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vt2t-w4v7-dbhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.junrar/junrar@7.5.8"}],"aliases":["CVE-2026-28208","GHSA-j273-m5qq-6825"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xf7w-seed-dye7"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30709?format=json","vulnerability_id":"VCID-v5ev-z8kw-gfgc","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12418.json","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12418.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12418","reference_id":"","reference_type":"","scores":[{"value":"0.00414","scoring_system":"epss","scoring_elements":"0.61973","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00414","scoring_system":"epss","scoring_elements":"0.62074","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12418"},{"reference_url":"https://github.com/junrar/junrar","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/junrar/junrar"},{"reference_url":"https://github.com/junrar/junrar/commit/ad8d0ba8e155630da8a1215cee3f253e0af45817","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/junrar/junrar/commit/ad8d0ba8e155630da8a1215cee3f253e0af45817"},{"reference_url":"https://github.com/junrar/junrar/pull/8","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/junrar/junrar/pull/8"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1591917","reference_id":"1591917","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1591917"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12418","reference_id":"CVE-2018-12418","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12418"},{"reference_url":"https://github.com/advisories/GHSA-5xqr-grq4-qwgx","reference_id":"GHSA-5xqr-grq4-qwgx","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5xqr-grq4-qwgx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/14063?format=json","purl":"pkg:maven/com.github.junrar/junrar@1.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bzn9-qh1r-h7dc"},{"vulnerability":"VCID-vt2t-w4v7-dbhv"},{"vulnerability":"VCID-xf7w-seed-dye7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.junrar/junrar@1.0.1"}],"aliases":["CVE-2018-12418","GHSA-5xqr-grq4-qwgx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v5ev-z8kw-gfgc"}],"risk_score":"4.2","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.junrar/junrar@1.0.1"}