PT-2026-60172 · Pypi · Cornac
Rahul Karne
+1
·
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-43637
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cornac versions prior to 2.6.0
Description
A path traversal issue, specifically a Tar Slip, exists when the
extract archive() function in cornac/utils/download.py processes a crafted TAR archive. By using absolute paths, symlink/hardlink entries, or ../ sequences, an attacker can cause archive.extractall() to write arbitrary files outside the intended cache directory to any location on the filesystem accessible to the running process. This can be triggered via built-in dataset loaders that automatically download and extract archives.Recommendations
Update to version 2.6.0 or later.
As a temporary mitigation, restrict the use of the
extract archive() function or avoid using built-in dataset loaders with untrusted archives.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cornac