Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/tar@6.2.1
Typenpm
Namespace
Nametar
Version6.2.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.5.11
Latest_non_vulnerable_version7.5.11
Affected_by_vulnerabilities
0
url VCID-1p93-yau8-6kfr
vulnerability_id VCID-1p93-yau8-6kfr
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26960
reference_id
reference_type
scores
0
value 8e-05
scoring_system epss
scoring_elements 0.00853
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26960
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26960
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26960
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378
reference_id 1129378
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2441253
reference_id 2441253
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2441253
7
reference_url https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
reference_id 2cb1120bcefe28d7ecc719b41441ade59c52e384
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/
url https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26960
reference_id CVE-2026-26960
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26960
9
reference_url https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
reference_id d18e4e1f846f4ddddc153b0f536a19c050e7499f
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/
url https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
10
reference_url https://github.com/advisories/GHSA-83g3-92jg-28cx
reference_id GHSA-83g3-92jg-28cx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-83g3-92jg-28cx
11
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
reference_id GHSA-83g3-92jg-28cx
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
12
reference_url https://access.redhat.com/errata/RHSA-2026:5447
reference_id RHSA-2026:5447
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5447
13
reference_url https://access.redhat.com/errata/RHSA-2026:6192
reference_id RHSA-2026:6192
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6192
14
reference_url https://access.redhat.com/errata/RHSA-2026:6428
reference_id RHSA-2026:6428
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6428
fixed_packages
0
url pkg:npm/tar@7.5.8
purl pkg:npm/tar@7.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4px3-atph-53gd
1
vulnerability VCID-ptq1-w3p5-rqgr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.8
aliases CVE-2026-26960, GHSA-83g3-92jg-28cx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1p93-yau8-6kfr
1
url VCID-4px3-atph-53gd
vulnerability_id VCID-4px3-atph-53gd
summary node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31802.json
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31802.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-31802
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.01042
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-31802
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31802
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31802
3
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2445881
reference_id 2445881
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2445881
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31802
reference_id CVE-2026-31802
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31802
6
reference_url https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
reference_id f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:56:31Z/
url https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
7
reference_url https://github.com/advisories/GHSA-9ppj-qmqm-q256
reference_id GHSA-9ppj-qmqm-q256
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9ppj-qmqm-q256
8
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
reference_id GHSA-9ppj-qmqm-q256
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:56:31Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
9
reference_url https://access.redhat.com/errata/RHSA-2026:21772
reference_id RHSA-2026:21772
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:21772
fixed_packages
0
url pkg:npm/tar@7.5.11
purl pkg:npm/tar@7.5.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.11
aliases CVE-2026-31802, GHSA-9ppj-qmqm-q256
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4px3-atph-53gd
2
url VCID-771y-ve1u-nqbg
vulnerability_id VCID-771y-ve1u-nqbg
summary node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23950.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23950.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23950
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00987
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23950
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950
3
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2431036
reference_id 2431036
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2431036
5
reference_url https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
reference_id 3b1abfae650056edfabcbe0a0df5954d390521e6
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T20:15:29Z/
url https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23950
reference_id CVE-2026-23950
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23950
7
reference_url https://github.com/advisories/GHSA-r6q2-hw4h-h46w
reference_id GHSA-r6q2-hw4h-h46w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r6q2-hw4h-h46w
8
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
reference_id GHSA-r6q2-hw4h-h46w
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T20:15:29Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
9
reference_url https://access.redhat.com/errata/RHSA-2026:18480
reference_id RHSA-2026:18480
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:18480
10
reference_url https://access.redhat.com/errata/RHSA-2026:18868
reference_id RHSA-2026:18868
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:18868
11
reference_url https://access.redhat.com/errata/RHSA-2026:2144
reference_id RHSA-2026:2144
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2144
12
reference_url https://access.redhat.com/errata/RHSA-2026:2926
reference_id RHSA-2026:2926
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2926
13
reference_url https://access.redhat.com/errata/RHSA-2026:6192
reference_id RHSA-2026:6192
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6192
fixed_packages
0
url pkg:npm/tar@7.5.4
purl pkg:npm/tar@7.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1p93-yau8-6kfr
1
vulnerability VCID-4px3-atph-53gd
2
vulnerability VCID-cr27-ffvk-jfgm
3
vulnerability VCID-ptq1-w3p5-rqgr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.4
aliases CVE-2026-23950, GHSA-r6q2-hw4h-h46w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-771y-ve1u-nqbg
3
url VCID-cr27-ffvk-jfgm
vulnerability_id VCID-cr27-ffvk-jfgm
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24842.json
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24842.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24842
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08168
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24842
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433645
reference_id 2433645
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433645
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24842
reference_id CVE-2026-24842
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24842
7
reference_url https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
reference_id f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-28T14:55:08Z/
url https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
8
reference_url https://github.com/advisories/GHSA-34x7-hfp2-rc4v
reference_id GHSA-34x7-hfp2-rc4v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-34x7-hfp2-rc4v
9
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
reference_id GHSA-34x7-hfp2-rc4v
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-28T14:55:08Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
10
reference_url https://access.redhat.com/errata/RHSA-2026:18480
reference_id RHSA-2026:18480
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:18480
11
reference_url https://access.redhat.com/errata/RHSA-2026:18868
reference_id RHSA-2026:18868
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:18868
12
reference_url https://access.redhat.com/errata/RHSA-2026:2900
reference_id RHSA-2026:2900
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2900
13
reference_url https://access.redhat.com/errata/RHSA-2026:5447
reference_id RHSA-2026:5447
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5447
14
reference_url https://access.redhat.com/errata/RHSA-2026:6192
reference_id RHSA-2026:6192
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6192
fixed_packages
0
url pkg:npm/tar@7.5.7
purl pkg:npm/tar@7.5.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1p93-yau8-6kfr
1
vulnerability VCID-4px3-atph-53gd
2
vulnerability VCID-ptq1-w3p5-rqgr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.7
aliases CVE-2026-24842, GHSA-34x7-hfp2-rc4v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cr27-ffvk-jfgm
4
url VCID-ptq1-w3p5-rqgr
vulnerability_id VCID-ptq1-w3p5-rqgr
summary node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29786.json
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29786.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29786
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00937
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29786
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29786
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29786
3
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2445476
reference_id 2445476
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2445476
5
reference_url https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
reference_id 7bc755dd85e623c0279e08eb3784909e6d7e4b9f
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:29Z/
url https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29786
reference_id CVE-2026-29786
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29786
7
reference_url https://github.com/advisories/GHSA-qffp-2rhf-9h96
reference_id GHSA-qffp-2rhf-9h96
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qffp-2rhf-9h96
8
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
reference_id GHSA-qffp-2rhf-9h96
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:29Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
fixed_packages
0
url pkg:npm/tar@7.5.10
purl pkg:npm/tar@7.5.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4px3-atph-53gd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.10
aliases CVE-2026-29786, GHSA-qffp-2rhf-9h96
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ptq1-w3p5-rqgr
5
url VCID-vswm-6u21-zqem
vulnerability_id VCID-vswm-6u21-zqem
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23745
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01409
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23745
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2430538
reference_id 2430538
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2430538
6
reference_url https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
reference_id 340eb285b6d986e91969a1170d7fe9b0face405e
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T14:52:52Z/
url https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23745
reference_id CVE-2026-23745
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23745
8
reference_url https://github.com/advisories/GHSA-8qq5-rm4j-mr97
reference_id GHSA-8qq5-rm4j-mr97
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8qq5-rm4j-mr97
9
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
reference_id GHSA-8qq5-rm4j-mr97
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T14:52:52Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
10
reference_url https://access.redhat.com/errata/RHSA-2026:18480
reference_id RHSA-2026:18480
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:18480
11
reference_url https://access.redhat.com/errata/RHSA-2026:18868
reference_id RHSA-2026:18868
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:18868
12
reference_url https://access.redhat.com/errata/RHSA-2026:19712
reference_id RHSA-2026:19712
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:19712
13
reference_url https://access.redhat.com/errata/RHSA-2026:2144
reference_id RHSA-2026:2144
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2144
14
reference_url https://access.redhat.com/errata/RHSA-2026:2900
reference_id RHSA-2026:2900
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2900
15
reference_url https://access.redhat.com/errata/RHSA-2026:2926
reference_id RHSA-2026:2926
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2926
16
reference_url https://access.redhat.com/errata/RHSA-2026:3782
reference_id RHSA-2026:3782
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3782
17
reference_url https://access.redhat.com/errata/RHSA-2026:6192
reference_id RHSA-2026:6192
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6192
fixed_packages
0
url pkg:npm/tar@7.5.3
purl pkg:npm/tar@7.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1p93-yau8-6kfr
1
vulnerability VCID-4px3-atph-53gd
2
vulnerability VCID-771y-ve1u-nqbg
3
vulnerability VCID-cr27-ffvk-jfgm
4
vulnerability VCID-ptq1-w3p5-rqgr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.3
aliases CVE-2026-23745, GHSA-8qq5-rm4j-mr97
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vswm-6u21-zqem
Fixing_vulnerabilities
0
url VCID-vbvf-me33-4ygr
vulnerability_id VCID-vbvf-me33-4ygr
summary node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28863.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28863.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28863
reference_id
reference_type
scores
0
value 0.00663
scoring_system epss
scoring_elements 0.71654
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28863
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863
3
reference_url https://github.com/isaacs/node-tar
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/node-tar
4
reference_url https://security.netapp.com/advisory/ntap-20240524-0005
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240524-0005
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2293200
reference_id 2293200
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2293200
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28863
reference_id CVE-2024-28863
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28863
7
reference_url https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
reference_id fe8cd57da5686f8695415414bda49206a545f7f7
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-22T14:55:49Z/
url https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
8
reference_url https://github.com/advisories/GHSA-f5x3-32g6-xq36
reference_id GHSA-f5x3-32g6-xq36
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f5x3-32g6-xq36
9
reference_url https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
reference_id GHSA-f5x3-32g6-xq36
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-22T14:55:49Z/
url https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
10
reference_url https://security.netapp.com/advisory/ntap-20240524-0005/
reference_id ntap-20240524-0005
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-22T14:55:49Z/
url https://security.netapp.com/advisory/ntap-20240524-0005/
11
reference_url https://access.redhat.com/errata/RHSA-2024:4591
reference_id RHSA-2024:4591
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4591
12
reference_url https://access.redhat.com/errata/RHSA-2024:5814
reference_id RHSA-2024:5814
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5814
13
reference_url https://access.redhat.com/errata/RHSA-2024:6147
reference_id RHSA-2024:6147
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6147
14
reference_url https://access.redhat.com/errata/RHSA-2024:6148
reference_id RHSA-2024:6148
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6148
15
reference_url https://access.redhat.com/errata/RHSA-2024:6755
reference_id RHSA-2024:6755
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6755
16
reference_url https://access.redhat.com/errata/RHSA-2024:7164
reference_id RHSA-2024:7164
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7164
fixed_packages
0
url pkg:npm/tar@6.2.1
purl pkg:npm/tar@6.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1p93-yau8-6kfr
1
vulnerability VCID-4px3-atph-53gd
2
vulnerability VCID-771y-ve1u-nqbg
3
vulnerability VCID-cr27-ffvk-jfgm
4
vulnerability VCID-ptq1-w3p5-rqgr
5
vulnerability VCID-vswm-6u21-zqem
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.2.1
aliases CVE-2024-28863, GHSA-f5x3-32g6-xq36
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vbvf-me33-4ygr
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/tar@6.2.1