Tar

This hub aggregates every CVE we track for Tar, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Tar.

• CVE-2026-5704Tar: tar: hidden file injection via crafted archives5.0Apr 6, 2026
• CVE-2026-33056tar-rs: unpack_in can chmod arbitrary directories by following symlinks6.5Mar 20, 2026
• CVE-2026-31802node-tar Symlink Path Traversal via Drive-Relative Linkpath5.5Mar 9, 2026
• CVE-2026-29786node-tar: Hardlink Path Traversal via Drive-Relative Linkpath6.3Mar 7, 2026
• CVE-2026-26960node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction7.1Feb 20, 2026
• CVE-2026-24842node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal8.2Jan 28, 2026
• CVE-2026-23950node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS8.8Jan 20, 2026
• CVE-2026-23745node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization6.1Jan 16, 2026
• CVE-2025-64118node-tar vulnerable to race condition leading to uninitialized memory exposure7.0Oct 30, 2025
• CVE-2025-45582GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to...4.1Jul 11, 2025
• CVE-2023-39804In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.6.2Mar 27, 2024
• CVE-2024-28863node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation6.5Mar 21, 2024
• CVE-2022-48303GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The ...5.5Jan 30, 2023
• CVE-2021-37713Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization8.2Aug 31, 2021
• CVE-2021-37712Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links8.2Aug 31, 2021