Skip to main content

Cornac EUVDEUVD-2026-44669

| CVE-2026-43637 HIGH
Path Traversal (CWE-22)
2026-07-15 VulnCheck GHSA-rrh3-cwwj-g5mg
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Attacker must interpose on or supply the downloaded archive (AC:H) and the victim must invoke a dataset loader (UI:R); arbitrary file write gives I:H/A:H with no direct confidentiality loss (C:N).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 14:31 vuln.today
Analysis Generated
Jul 15, 2026 - 14:31 vuln.today
CVE Published
Jul 15, 2026 - 13:54 cve.org
HIGH 8.8

DescriptionCVE.org

Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.

AnalysisAI

Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host or MITM malicious dataset archive
Delivery
Victim invokes built-in dataset loader
Exploit
Cornac auto-downloads crafted TAR
Execution
extractall() follows ../ and symlink entries
Persist
Arbitrary files written outside cache dir
Impact
Overwrite cron/SSH/module for code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control the contents of a TAR archive that Cornac fetches through its built-in dataset loaders (which call _extract_archive() → archive.extractall() in cornac/utils/download.py), and the malicious archive must contain ../ traversal sequences, absolute paths, or symlink/hardlink entries. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VI:H/VA:H, score 8.8) models unauthenticated network exploitation with high integrity and availability impact and no confidentiality loss - consistent with arbitrary file write rather than direct data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can influence a dataset archive Cornac downloads - by hosting a malicious 'benchmark' dataset, compromising a mirror, or intercepting an unauthenticated download - serves a crafted TAR whose members use ../ sequences or a symlink pointing outside the cache directory. When a researcher's script calls a built-in dataset loader, Cornac auto-downloads and extractall()s the archive, silently writing attacker-controlled files (e.g., a cron job, SSH key, or Python module on the import path) to arbitrary locations, enabling persistence or code execution as the running user. …
Remediation Vendor-released patch: upgrade Cornac to 2.6.0 or later (pip install --upgrade cornac), which the 2.6.0 release notes describe as 'Fix CWE-22 path traversal (Tar Slip) in dataset archive extraction' (PR #709, commit 8a50be72). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems and applications using Cornac and classify by dataset sources (internal vs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy