Skip to main content

CVE-2026-24909

MEDIUM
Relative Path Traversal (CWE-23)
2026-01-27 cve@mitre.org GHSA-gf2c-jwcj-x929
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Jan 27, 2026 - 23:15 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on @vltpkg/tar (1 direct, 9 indirect)

Ecosystem-wide dependent count for version 1.0.0-rc.10.

DescriptionCVE.org

vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.

AnalysisAI

Path traversal in vlt versions before 1.0.0-rc.10 allows local attackers to write files outside their intended directories during tar archive extraction due to insufficient path sanitization. An attacker with local access could exploit this to overwrite arbitrary files on the system with elevated scope impact. No patch is currently available for this vulnerability.

Technical ContextAI

Affects vlt. vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.

Affected ProductsAI

Product: vlt. Versions: up to 1.0.0.

RemediationAI

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists.

Share

CVE-2026-24909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy