CVE-2026-7774 MEDIUM

CVE-2026-7774: tarfile.data_filter path traversal bypass allows writing outside the extraction directory

Vendor Python Software Foundation
Product CPython
Weakness CWE-22 · Path traversal
Published June 4, 2026
Last update June 10, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 10, 2026 Record updated