CVE-2026-7774

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 04, 2026

Vendor unknown

Description

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

References

https://github.com/python/cpython/issues/149486
https://github.com/python/cpython/pull/149487
https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/