CVE-2026-40090

Name of the Vulnerable Software and Affected Versions Zarf versions 0.23.0 through 0.74.1

Description An arbitrary file write issue exists in the 'zarf package inspect sbom' and 'zarf package inspect documentation' subcommands. These subcommands construct output file paths by joining a user-controlled output directory with the Metadata.Name field read from the package's zarf.yaml manifest. An attacker can modify this field to include absolute paths or path traversal sequences, such as '../../etc/cron.d/malicious', allowing them to write attacker-controlled content to arbitrary filesystem locations based on the permissions of the user executing the command.

Recommendations Update to version 0.74.2. Avoid inspecting unsigned packages.