CVE-2026-23949

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions jaraco.context versions prior to 6.1.0

Description jaraco.context, a software package providing decorators and context managers, contains a path traversal issue in the jaraco.context.tarball() function. The issue allows attackers to extract files outside the intended directory when processing malicious tar archives. The vulnerability arises because the strip first component filter incorrectly handles ../ sequences within paths, enabling traversal attacks. This is also susceptible to nested tarball attacks involving multi-level tar files. The tarball() function is vulnerable.

Recommendations Update jaraco.context to version 6.1.0 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2026-03594

CVE-2026-23949

ECHO-4DEA-2475-6D75

GHSA-58PV-8J8X-9VJ2

OPENSUSE-SU-2026:10077-1

OPENSUSE-SU-2026:20095-1

SUSE-SU-2026:20139-1

USN-7979-1

Affected Products

Red Os

Jaraco.Context

CVE-2026-23949

Weakness Enumeration

Related Identifiers

Affected Products

References · 37