CVE-2026-24909
MEDIUMSeverity by source
AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 10 npm packages depend on @vltpkg/tar (1 direct, 9 indirect)
Ecosystem-wide dependent count for version 1.0.0-rc.10.
DescriptionCVE.org
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
AnalysisAI
Path traversal in vlt versions before 1.0.0-rc.10 allows local attackers to write files outside their intended directories during tar archive extraction due to insufficient path sanitization. An attacker with local access could exploit this to overwrite arbitrary files on the system with elevated scope impact. No patch is currently available for this vulnerability.
Technical ContextAI
Affects vlt. vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
Affected ProductsAI
Product: vlt. Versions: up to 1.0.0.
RemediationAI
Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gf2c-jwcj-x929