Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-26960 (GCVE-0-2026-26960)
Vulnerability from cvelistv5 – Published: 2026-02-20 01:07 – Updated: 2026-02-20 15:35
VLAI
EPSS
Title
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
Summary
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Severity
7.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/isaacs/node-tar/security/advis… | x_refsource_CONFIRM |
| https://github.com/isaacs/node-tar/commit/2cb1120… | x_refsource_MISC |
| https://github.com/isaacs/node-tar/commit/d18e4e1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:29:17.653825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:35:27.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-tar",
"vendor": "isaacs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T01:07:52.979Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx"
},
{
"name": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384"
},
{
"name": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f"
}
],
"source": {
"advisory": "GHSA-83g3-92jg-28cx",
"discovery": "UNKNOWN"
},
"title": "node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26960",
"datePublished": "2026-02-20T01:07:52.979Z",
"dateReserved": "2026-02-16T22:20:28.611Z",
"dateUpdated": "2026-02-20T15:35:27.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-26960",
"date": "2026-05-28",
"epss": "8e-05",
"percentile": "0.00849"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-26960\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-20T02:16:53.883\",\"lastModified\":\"2026-02-20T19:24:16.537\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"7.5.8\",\"matchCriteriaId\":\"709C920B-A33B-4301-AC36-EF3065986019\"}]}]}],\"references\":[{\"url\":\"https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26960\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T15:29:17.653825Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T15:29:19.255Z\"}}], \"cna\": {\"title\": \"node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction\", \"source\": {\"advisory\": \"GHSA-83g3-92jg-28cx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"isaacs\", \"product\": \"node-tar\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.5.8\"}]}], \"references\": [{\"url\": \"https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx\", \"name\": \"https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384\", \"name\": \"https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f\", \"name\": \"https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-20T01:07:52.979Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-26960\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T15:35:27.586Z\", \"dateReserved\": \"2026-02-16T22:20:28.611Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-20T01:07:52.979Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cleanstart-2026-dv49099
Vulnerability from cleanstart
Published
2026-04-01 09:31
Modified
2026-03-23 10:49
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-DV49099",
"modified": "2026-03-23T10:49:42Z",
"published": "2026-04-01T09:31:16.419730Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-DV49099.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-gs57401
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:48
Summary
Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.3-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GS57401",
"modified": "2026-03-19T07:48:38Z",
"published": "2026-04-01T09:43:24.793409Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GS57401.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1",
"upstream": [
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-2391",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-lm41397
Vulnerability from cleanstart
Published
2026-02-24 00:40
Modified
2026-02-23 12:58
Summary
node-tar is a full-featured Tar for Node
Details
Multiple security vulnerabilities affect the npm package. node-tar is a full-featured Tar for Node. See references for individual vulnerability details.
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.1.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the npm package. node-tar is a full-featured Tar for Node. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-LM41397",
"modified": "2026-02-23T12:58:32Z",
"published": "2026-02-24T00:40:50.950958Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-LM41397"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "node-tar is a full-featured Tar for Node",
"upstream": [
"CVE-2026-23745",
"CVE-2026-26960"
]
}
cleanstart-2026-ny12442
Vulnerability from cleanstart
Published
2026-02-27 00:41
Modified
2026-02-26 12:09
Summary
node-tar is a full-featured Tar for Node
Details
Multiple security vulnerabilities affect the npm package. node-tar is a full-featured Tar for Node. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.1.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the npm package. node-tar is a full-featured Tar for Node. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-NY12442",
"modified": "2026-02-26T12:09:56Z",
"published": "2026-02-27T00:41:38.733387Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-NY12442"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-43616"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-3PPC-4F35-3M26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-83G3-92JG-28CX"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43616"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "node-tar is a full-featured Tar for Node",
"upstream": [
"CVE-2021-43616",
"CVE-2026-23745",
"CVE-2026-25547",
"CVE-2026-26960",
"GHSA-3PPC-4F35-3M26",
"GHSA-83G3-92JG-28CX"
]
}
cleanstart-2026-ow14933
Vulnerability from cleanstart
Published
2026-05-18 13:33
Modified
2026-05-10 16:06
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-OW14933",
"modified": "2026-05-10T16:06:08Z",
"published": "2026-05-18T13:33:43.873182Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-OW14933.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-sw34937
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:58
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-SW34937",
"modified": "2026-03-19T07:58:44Z",
"published": "2026-04-01T09:43:38.907490Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-SW34937.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-tz34913
Vulnerability from cleanstart
Published
2026-05-18 13:41
Modified
2026-05-06 06:24
Summary
Security fixes for CVE-2022-25881, CVE-2022-33987, CVE-2025-25285, CVE-2025-62718, CVE-2025-69873, CVE-2026-21637, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, ghsa-23c5-xmqv-rm74, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-34x7-hfp2-rc4v, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3v7f-55p6-f55p, ghsa-442j-39wm-28r2, ghsa-48c2-rrv3-qjmp, ghsa-72xf-g2v4-qvf3, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-83g3-92jg-28cx, ghsa-8qq5-rm4j-mr97, ghsa-9cx6-37pm-9jff, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-j3q9-mxjg-w52f, ghsa-pfrx-2q88-qq97, ghsa-qffp-2rhf-9h96, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-rc47-6667-2j5j, ghsa-rmvr-2pp2-xj38, ghsa-rp42-5vxx-qpwr, ghsa-w5hq-g745-h8pq, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf applied in versions: 2.5.10-r2, 2.5.10-r3, 2.5.10-r4, 2.5.10-r5, 2.6.0-r1
Details
Multiple security vulnerabilities affect the mongosh package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "mongosh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the mongosh package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-TZ34913",
"modified": "2026-05-06T06:24:38Z",
"published": "2026-05-18T13:41:16.302553Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-TZ34913.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-25881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-33987"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-25285"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-62718"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-21637"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33916"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4926"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-442j-39wm-28r2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-48c2-rrv3-qjmp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72xf-g2v4-qvf3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-chqc-8p9q-pq6q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pfrx-2q88-qq97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rc47-6667-2j5j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rmvr-2pp2-xj38"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rp42-5vxx-qpwr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4926"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2022-25881, CVE-2022-33987, CVE-2025-25285, CVE-2025-62718, CVE-2025-69873, CVE-2026-21637, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, ghsa-23c5-xmqv-rm74, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-34x7-hfp2-rc4v, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3v7f-55p6-f55p, ghsa-442j-39wm-28r2, ghsa-48c2-rrv3-qjmp, ghsa-72xf-g2v4-qvf3, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-83g3-92jg-28cx, ghsa-8qq5-rm4j-mr97, ghsa-9cx6-37pm-9jff, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-j3q9-mxjg-w52f, ghsa-pfrx-2q88-qq97, ghsa-qffp-2rhf-9h96, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-rc47-6667-2j5j, ghsa-rmvr-2pp2-xj38, ghsa-rp42-5vxx-qpwr, ghsa-w5hq-g745-h8pq, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf applied in versions: 2.5.10-r2, 2.5.10-r3, 2.5.10-r4, 2.5.10-r5, 2.6.0-r1",
"upstream": [
"CVE-2022-25881",
"CVE-2022-33987",
"CVE-2025-25285",
"CVE-2025-62718",
"CVE-2025-69873",
"CVE-2026-21637",
"CVE-2026-23745",
"CVE-2026-24842",
"CVE-2026-26960",
"CVE-2026-2950",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-33750",
"CVE-2026-33916",
"CVE-2026-33937",
"CVE-2026-4800",
"CVE-2026-4923",
"CVE-2026-4926",
"ghsa-23c5-xmqv-rm74",
"ghsa-2qvq-rjwj-gvw9",
"ghsa-2w6w-674q-4c4q",
"ghsa-34x7-hfp2-rc4v",
"ghsa-3mfm-83xf-c92r",
"ghsa-3p68-rc4w-qgx5",
"ghsa-3v7f-55p6-f55p",
"ghsa-442j-39wm-28r2",
"ghsa-48c2-rrv3-qjmp",
"ghsa-72xf-g2v4-qvf3",
"ghsa-7r86-cg39-jmmj",
"ghsa-7rx3-28cr-v5wh",
"ghsa-83g3-92jg-28cx",
"ghsa-8qq5-rm4j-mr97",
"ghsa-9cx6-37pm-9jff",
"ghsa-9ppj-qmqm-q256",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-chqc-8p9q-pq6q",
"ghsa-f23m-r3pf-42rh",
"ghsa-f886-m6hf-6m8v",
"ghsa-j3q9-mxjg-w52f",
"ghsa-pfrx-2q88-qq97",
"ghsa-qffp-2rhf-9h96",
"ghsa-r5fr-rjxr-66jc",
"ghsa-r6q2-hw4h-h46w",
"ghsa-rc47-6667-2j5j",
"ghsa-rmvr-2pp2-xj38",
"ghsa-rp42-5vxx-qpwr",
"ghsa-w5hq-g745-h8pq",
"ghsa-xhpv-hc6g-r9c6",
"ghsa-xjpj-3mr7-gcpf"
]
}
FKIE_CVE-2026-26960
Vulnerability from fkie_nvd - Published: 2026-02-20 02:16 - Updated: 2026-02-20 19:24
Severity
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384 | Patch | |
| security-advisories@github.com | https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f | Patch | |
| security-advisories@github.com | https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "709C920B-A33B-4301-AC36-EF3065986019",
"versionEndExcluding": "7.5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8."
},
{
"lang": "es",
"value": "node-tar es un Tar con todas las funciones para Node.js. Al usar las opciones predeterminadas en las versiones 7.5.7 e inferiores, un archivo controlado por el atacante puede crear un enlace duro dentro del directorio de extracci\u00f3n que apunte a un archivo fuera de la ra\u00edz de extracci\u00f3n, permitiendo la lectura y escritura arbitraria de archivos como el usuario extractor. La gravedad es alta porque la primitiva elude las protecciones de ruta y convierte la extracci\u00f3n del archivo en una primitiva de acceso directo al sistema de archivos. Este problema ha sido solucionado en la versi\u00f3n 7.5.8."
}
],
"id": "CVE-2026-26960",
"lastModified": "2026-02-20T19:24:16.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-20T02:16:53.883",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-83G3-92JG-28CX
Vulnerability from github – Published: 2026-02-18 00:57 – Updated: 2026-02-20 16:47
VLAI
Summary
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
Details
Summary
tar.extract() in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.
This enables arbitrary file read and write as the extracting user (no root, no chmod, no preservePaths).
Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.
Details
The bypass chain uses two symlinks plus one hardlink:
a/b/c/up -> ../..a/b/escape -> c/up/../..exfil(hardlink) ->a/b/escape/<target-relative-to-parent-of-extract>
Why this works:
- Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety.
-
See
STRIPABSOLUTEPATHlogic in:../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281
-
Hardlink extraction resolves target as
path.resolve(cwd, entry.linkpath)and then callsfs.link(target, destination). ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567-
../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703 -
Parent directory safety checks (
mkdir+ symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path. ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101
As a result, exfil is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via exfil.
PoC
hardlink.js Environment used for validation:
- Node:
v25.4.0 - tar:
7.5.7 - OS: macOS Darwin 25.2.0
- Extract options: defaults (
tar.extract({ file, cwd }))
Steps:
-
Prepare/locate a
tarmodule. Ifrequire('tar')is not available locally, setTAR_MODULEto an absolute path to a tar package directory. -
Run:
TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js
- Expected vulnerable output (key lines):
same_inode=true
read_ok=true
write_ok=true
result=VULNERABLE
Interpretation:
same_inode=true: extractedexfiland external secret are the same file object.read_ok=true: readingexfilleaks external content.write_ok=true: writingexfilmodifies external file.
Impact
Vulnerability type:
- Arbitrary file read/write via archive extraction path confusion and link resolution.
Who is impacted:
- Any application/service that extracts attacker-controlled tar archives with Node
tardefaults. - Impact scope is the privileges of the extracting process user.
Potential outcomes:
- Read sensitive files reachable by the process user.
- Overwrite writable files outside extraction root.
- Escalate impact depending on deployment context (keys, configs, scripts, app data).
Severity
7.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26960"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T00:57:13Z",
"nvd_published_at": "2026-02-20T02:16:53Z",
"severity": "HIGH"
},
"details": "### Summary\n`tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.\n\nThis enables **arbitrary file read and write** as the extracting user (no root, no chmod, no `preservePaths`).\n\nSeverity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.\n\n### Details\nThe bypass chain uses two symlinks plus one hardlink:\n\n1. `a/b/c/up -\u003e ../..`\n2. `a/b/escape -\u003e c/up/../..`\n3. `exfil` (hardlink) -\u003e `a/b/escape/\u003ctarget-relative-to-parent-of-extract\u003e`\n\nWhy this works:\n\n- Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety.\n - See `STRIPABSOLUTEPATH` logic in:\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281`\n\n- Hardlink extraction resolves target as `path.resolve(cwd, entry.linkpath)` and then calls `fs.link(target, destination)`.\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703`\n\n- Parent directory safety checks (`mkdir` + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path.\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101`\n\nAs a result, `exfil` is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via `exfil`.\n\n### PoC\n[hardlink.js](https://github.com/user-attachments/files/25240082/hardlink.js)\nEnvironment used for validation:\n\n- Node: `v25.4.0`\n- tar: `7.5.7`\n- OS: macOS Darwin 25.2.0\n- Extract options: defaults (`tar.extract({ file, cwd })`)\n\nSteps:\n\n1. Prepare/locate a `tar` module. If `require(\u0027tar\u0027)` is not available locally, set `TAR_MODULE` to an absolute path to a tar package directory.\n\n2. Run:\n\n```bash\nTAR_MODULE=\"$(cd \u0027../tar-audit-setuid - CVE/node_modules/tar\u0027 \u0026\u0026 pwd)\" node hardlink.js\n```\n\n3. Expected vulnerable output (key lines):\n\n```text\nsame_inode=true\nread_ok=true\nwrite_ok=true\nresult=VULNERABLE\n```\n\nInterpretation:\n\n- `same_inode=true`: extracted `exfil` and external secret are the same file object.\n- `read_ok=true`: reading `exfil` leaks external content.\n- `write_ok=true`: writing `exfil` modifies external file.\n\n### Impact\nVulnerability type:\n\n- Arbitrary file read/write via archive extraction path confusion and link resolution.\n\nWho is impacted:\n\n- Any application/service that extracts attacker-controlled tar archives with Node `tar` defaults.\n- Impact scope is the privileges of the extracting process user.\n\nPotential outcomes:\n\n- Read sensitive files reachable by the process user.\n- Overwrite writable files outside extraction root.\n- Escalate impact depending on deployment context (keys, configs, scripts, app data).",
"id": "GHSA-83g3-92jg-28cx",
"modified": "2026-02-20T16:47:48Z",
"published": "2026-02-18T00:57:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f"
},
{
"type": "PACKAGE",
"url": "https://github.com/isaacs/node-tar"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"
}
MSRC_CVE-2026-26960
Vulnerability from csaf_microsoft - Published: 2026-02-02 00:00 - Updated: 2026-02-25 01:38Summary
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
CWE-22
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-1 | — | ||
| Unresolved product id: 17086-2 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-26960 node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-26960.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction",
"tracking": {
"current_release_date": "2026-02-25T01:38:11.000Z",
"generator": {
"date": "2026-02-25T09:46:55.148Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-26960",
"initial_release_date": "2026-02-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-02-22T01:01:26.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-02-24T14:03:56.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2026-02-25T01:38:11.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"category": "product_name",
"name": "azl3 tar 1.35-2",
"product": {
"name": "azl3 tar 1.35-2",
"product_id": "1"
}
},
{
"category": "product_name",
"name": "cbl2 tar 1.34-3",
"product": {
"name": "cbl2 tar 1.34-3",
"product_id": "2"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 tar 1.35-2 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 tar 1.34-3 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-26960",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0026#39;Path Traversal\u0026#39;)"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-1",
"17086-2"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"known_not_affected": [
"17084-1",
"17086-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-26960 node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-26960.json"
}
],
"title": "node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…