Skip to main content

CPython CVE-2026-7774

| EUVDEUVD-2026-34282 MEDIUM
Path Traversal (CWE-22)
2026-06-04 PSF GHSA-6cj7-v55x-8mwr
6.9
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 18:16 vuln.today
Analysis Generated
Jun 04, 2026 - 18:16 vuln.today
CVSS changed
Jun 04, 2026 - 16:22 NVD
6.9 (MEDIUM)
CVE Published
Jun 04, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

AnalysisAI

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and write files to arbitrary locations outside the intended extraction directory. When an application or user calls tarfile.extractall() with the data filter active, specially crafted symlinks using empty names, directory-like names, or trailing slashes can redirect subsequent archive members through attacker-controlled paths, subject to the permissions of the extracting process. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is network-accessible and requires only that a victim initiate extraction of a crafted archive (UI:A).

Technical ContextAI

CPython's tarfile module (cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*) introduced tarfile.data_filter as a security control to prevent path traversal during archive extraction. The vulnerability (CWE-22, Path Traversal) arises from multiple related flaws in how the filter validates link targets in the _get_filtered_attrs function within Lib/tarfile.py. First, the filter was resolving symlink targets relative to the original unstripped member name rather than the normalized form actually written to disk - a normpath/realpath divergence that could be exploited by chaining a pre-placed symlink to a deep nonexistent path while using normpath collapsing to escape the destination. Second, trailing separators on symlink member names (e.g., 'x/') caused target resolution to use the wrong parent directory. Third, link entries with empty, '.', or './' names could silently replace the destination directory itself with a symlink, redirecting all subsequent extractions. The PR diff shows the fix enforces normalization of linkname before validation, strips trailing separators from the member name when resolving the symlink directory, and explicitly raises OutsideDestinationError when a link target resolves to the destination directory itself.

RemediationAI

The upstream fix is available in CPython PR #149487 (https://github.com/python/cpython/pull/149487); based on EUVD affected version range (CPython < 3.15.0), upgrading to CPython 3.15.0 or later addresses this issue, however the exact patched release version is inferred from EUVD data rather than independently confirmed from a tagged release - verify against the PSF advisory at https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/. If upgrading is not immediately possible, the most effective compensating control is to avoid calling tarfile.extractall() on untrusted archives entirely and instead manually iterate members with tarfile.getmembers(), validating each resolved path against the intended destination before extracting. Alternatively, restrict the extracting process to a dedicated, low-privilege account and an isolated directory with no sensitive files in parent paths, limiting the blast radius of any successful traversal. Note that continuing to use data_filter alone is insufficient as a workaround since this vulnerability specifically bypasses it.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

CVE-2026-7774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy