CVE-2026-29509

Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
Configurations

No configuration.

History

26 Jun 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 20:16

Updated : 2026-06-27 04:17


NVD link : CVE-2026-29509

Mitre link : CVE-2026-29509

CVE.ORG link : CVE-2026-29509


JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')