CVE-2026-5704

all versions

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden fil

5.0MEDIUM

CVE-2026-33056

< 0.4.45

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crat

6.5MEDIUM

CVE-2026-31802

< 7.5.11

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points

5.5MEDIUM

CVE-2026-29786

< 7.5.10

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outs

6.3MEDIUM

CVE-2026-26960

< 7.5.8

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archiv

7.1HIGH

CVE-2026-24842

< 7.5.7

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses

8.2HIGH

CVE-2026-23950

< 7.5.4

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete

8.8HIGH

CVE-2026-23745

< 7.5.3

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink

6.1MEDIUM

CVE-2025-45582

< 1.35

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First

4.1MEDIUM

CVE-2023-39804

< 1.35

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.

6.2MEDIUM

CVE-2024-28863

< 6.2.1

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder cre

6.5MEDIUM

CVE-2022-48303

<= 1.34

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploit

5.5MEDIUM

CVE-2021-37713

< 4.4.18

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitr

8.2HIGH

CVE-2021-37712

<= 4.4.17

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitr

8.2HIGH

CVE-2021-37701

< 4.4.16

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitra

8.2HIGH

CVE-2021-38511

< 0.4.36

An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create

7.5HIGH

CVE-2021-32804

< 3.2.2

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulne

8.2HIGH

CVE-2021-32803

< 3.2.3

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vuln

8.2HIGH

CVE-2021-20193

<= 1.33

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to ta

3.3LOW

CVE-2018-20990

< 0.4.16

An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a

7.5HIGH

CVE-2018-20834

< 2.2.2

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists whe

7.5HIGH

CVE-2019-9923

< 1.32

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malfor

7.5HIGH

CVE-2018-20482

<= 1.30

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a den

4.7MEDIUM

CVE-2016-6321

all versions

Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to b

7.5HIGH

CVE-2010-0624

<= 1.22

Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and

CVE-2007-4476

< 1.19

Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing s

CVE-2007-4131

all versions

Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers

CVE-2006-6097

all versions

GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file t

CVE-2006-0300

all versions

Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and po

CVE-2005-1918

all versions

The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "

CVE-2005-2541

all versions

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers

CVE-2002-1216

<= 1.13.25

GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as th

CVE-2002-0399

all versions

Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite a

CVE-2001-1267

<= 1.13.19

Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive ex