EUVD-2026-31777
Improper Link Resolution Before File Access (CWE-59)
2026-05-26
GHSA-fcfm-93gv-wh6f
GHSA-fcfm-93gv-wh6f
7.5
CVSS 3.1
Share
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Lifecycle Timeline
5
Source Code Evidence Fetched
May 27, 2026 - 19:38 vuln.today
Analysis Generated
May 27, 2026 - 19:38 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
7.5 (HIGH)
Patch available
May 26, 2026 - 03:01 EUVD
CVE Published
May 26, 2026 - 00:45 nvd
UNKNOWN (no severity yet)
Description PRE-NVD
Disclosed via oss-security. NVD scoring and full description are pending.
AnalysisAI
Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Vendor StatusVendor
Debian
perl
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.32.1-4+deb11u3 | - |
| bullseye (security) | vulnerable | 5.32.1-4+deb11u5 | - |
| bookworm | vulnerable | 5.36.0-7+deb12u3 | - |
| bookworm (security) | vulnerable | 5.36.0-7+deb12u2 | - |
| trixie | vulnerable | 5.40.1-6 | - |
| forky, sid | vulnerable | 5.40.1-7 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).