CVE-2026-23949Path Traversal in Jaraco.context

CWE-22Path Traversal8 documents7 sources
Severity
8.6HIGHNVD
EPSS
0.1%
top 74.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jaraco Jaraco.contextDebian Jaraco.contextDebian Setuptools
Timeline
PublishedJan 20
Latest updateJan 27

Description

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allow

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages6 packages

NVDjaraco/jaraco.context5.2.06.1.0
PyPIjaraco/jaraco.context5.2.06.1.0
debiandebian/jaraco.context< jaraco.context 6.0.1-2 (forky)
Debianjaraco/jaraco.context< 6.0.1-1+deb13u1+1
CVEListV5jaraco/jaraco.context>= 5.2.0, < 6.1.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-23949: jaraco2026-01-20
OSV
jaraco.context Has a Path Traversal Vulnerability2026-01-13
GHSA
jaraco.context Has a Path Traversal Vulnerability2026-01-13

📋Vendor Advisories

3
Ubuntu
jaraco.context vulnerability2026-01-27
Red Hat
jaraco.context: jaraco.context: Path traversal via malicious tar archives2026-01-20
Debian
CVE-2026-23949: jaraco.context - jaraco.context, an open-source software package that provides some useful decora...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23949 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23949 — Path Traversal in Jaraco.context | cvebase