CVE-2026-26960

Updated: 2026-03-05 01:35:27.48321

Description:

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0.0
CVSS Version 3.x HIGH 7.1

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU tar 1.34 7.1 HIGH In Testing 2026-02-27 10:09:53
Alpine Linux 3.18 ELS tar 1.34 7.1 HIGH Not Vulnerable 2026-02-28 00:41:47 Not affected. CVE-2026-26960 targets the Node.js npm package “node‑tar” (tar) versions 7.5.7 a...
CentOS 6 ELS tar 1.23-15 7.1 HIGH Not Vulnerable 2026-02-28 00:41:52 Not affected: CVE-2026-26960 targets the Node.js “tar” (node-tar) npm package (versions 7.5.7 an...
CentOS 7 ELS tar 1.26 7.1 HIGH Not Vulnerable 2026-02-28 00:41:55 Not affected. CVE-2026-26960 applies to the Node.js npm package “tar” (node-tar) and its extract...
CentOS 8.4 ELS tar 1.30-5 7.1 HIGH In Testing 2026-02-27 16:10:49
CentOS 8.5 ELS tar 1.30-5 7.1 HIGH In Testing 2026-02-27 16:10:52
CentOS Stream 8 ELS tar 1.3 7.1 HIGH In Testing 2026-03-04 08:18:13
CloudLinux 7 ELS tar 1.26 7.1 HIGH Not Vulnerable 2026-02-28 00:41:54 Not affected. CVE-2026-26960 applies to the Node.js npm package “tar” (node-tar) and its extract...
Debian 10 ELS tar 1.30 7.1 HIGH Not Vulnerable 2026-02-28 00:41:50 Not affected: this CVE targets the Node.js node-tar library (tar on npm) up to version 7.5.7 and doe...
Oracle Linux 6 ELS tar 1.23-15 7.1 HIGH Not Vulnerable 2026-02-28 00:41:52 Not affected: CVE-2026-26960 targets the Node.js “tar” (node-tar) npm package (versions 7.5.7 an...
Total: 16