CVE-2026-26960 — Path Traversal in Node-tar
Severity
7.1HIGHNVD
EPSS
0.0%
top 99.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 20
Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2
Affected Packages4 packages
Patches
🔴Vulnerability Details
4CVEList▶
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction↗2026-02-20
OSV▶
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction↗2026-02-18
GHSA▶
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction↗2026-02-18
📋Vendor Advisories
3🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation↗2026-02-20