PT-2026-60172 · Pypi · Cornac

Rahul Karne

+1

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-43637

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Cornac versions prior to 2.6.0
Description A path traversal issue, specifically a Tar Slip, exists when the extract archive() function in cornac/utils/download.py processes a crafted TAR archive. By using absolute paths, symlink/hardlink entries, or ../ sequences, an attacker can cause archive.extractall() to write arbitrary files outside the intended cache directory to any location on the filesystem accessible to the running process. This can be triggered via built-in dataset loaders that automatically download and extract archives.
Recommendations Update to version 2.6.0 or later. As a temporary mitigation, restrict the use of the extract archive() function or avoid using built-in dataset loaders with untrusted archives.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43637

Affected Products

Cornac