Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-43637

CRITICAL NVD
CVSS Score 9.1
Severity CRITICAL
Published Jul 15, 2026
Vendor unknown

Description

Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.

References