CVE-2026-26960 (High) detected in tar-4.4.19.tgz #27
Description
CVE-2026-26960 - High Severity Vulnerability
Vulnerable Library - tar-4.4.19.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy:
- electron-rebuild-1.11.0.tgz (Root Library)
- node-gyp-6.1.0.tgz
- ❌ tar-4.4.19.tgz (Vulnerable Library)
- node-gyp-6.1.0.tgz
Found in HEAD commit: ae62db6079d7852a74ec7949f57fe5a5bbcbe2a7
Found in base branch: master
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.8,tar - 7.5.8
Step up your Open Source Security Game with Mend here