Github.Com Zarf-Dev Zarf vulnerabilities
2 known vulnerabilities affecting github.com/zarf-dev_zarf.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1UNKNOWN1
Vulnerabilities
Page 1 of 1
CVE-2026-40090HIGH≥ 0.23.0, < 0.74.22026-04-14
CVE-2026-40090 [HIGH] CWE-22 Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write
### Impact
This vulnerability impacts users of `zarf package inspect sbom` or `zarf package inspect documentation` on untrusted packages.
### Patches
#4793, now fixed in version v0.74.2
### Workarounds
Avoid inspecting unsigned packages
## Description
The `package inspect sbom` and `package insp
ghsa
CVE-2026-29064UNKNOWN≥ 0.54.0, < 0.73.12026-03-10
CVE-2026-29064 Zarf's symlink targets in archives are not validated against destination directory in github.com/zarf-dev/zarf
Zarf's symlink targets in archives are not validated against destination directory in github.com/zarf-dev/zarf
Zarf's symlink targets in archives are not validated against destination directory in github.com/zarf-dev/zarf
osv