8.6
HIGH CVSS 3.1
CVE-2026-29786
node-tar: Hardlink Path Traversal via Drive-Relative Linkpath
Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

INFO

Published Date :

March 7, 2026, 4:15 p.m.

Last Modified :

June 30, 2026, 3:18 a.m.

Remotely Exploit :

Yes !
Affected Products

The following products are affected by CVE-2026-29786 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Isaacs tar
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 MEDIUM [email protected]
CVSS 3.1 HIGH 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CVSS 4.0 HIGH [email protected]
Solution
Update node-tar to version 7.5.10 or later to patch path traversal vulnerability.
  • Update node-tar to version 7.5.10 or later.
  • Verify archive integrity after extraction.
Public PoC/Exploit Available at Github

CVE-2026-29786 has a 5 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-29786 is associated with the following CWEs:

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Ox Security Assignment - Find Vulnerabilities in code repositories

Dockerfile Shell Python

Updated: 3 weeks, 1 day ago
0 stars 0 fork 0 watcher
Born at : June 13, 2026, 2:52 p.m. This repo has been linked 93 different CVEs too.

None

Dockerfile JavaScript

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : May 6, 2026, 5:30 p.m. This repo has been linked 11 different CVEs too.

DevSecOps Process Tracker

Dockerfile TypeScript CSS JavaScript HTML

Updated: 3 months ago
1 stars 0 fork 0 watcher
Born at : March 26, 2026, 9:45 p.m. This repo has been linked 4 different CVEs too.

Technical analysis and Proof-of-Concept (PoC) for a critical Path Traversal vulnerability via Symlink manipulation in the Node.js 'tar' package (CVE-2026-29786)

JavaScript

Updated: 3 months, 3 weeks ago
1 stars 0 fork 0 watcher
Born at : March 10, 2026, 6:40 a.m. This repo has been linked 1 different CVEs too.

PoC for CVE-2026-29786 demonstrating a node-tar hardlink path traversal that allows overwriting files outside the extraction directory.

JavaScript

Updated: 4 months ago
1 stars 0 fork 0 watcher
Born at : March 5, 2026, 10:53 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-29786 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-29786 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

    Jun. 30, 2026

    Action Type Old Value New Value
    Added Affected [{'cpes': ['cpe:/a:redhat:cryostat:4'], 'vendor': 'Red Hat', 'product': 'Cryostat 4', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:logging:5'], 'vendor': 'Red Hat', 'product': 'Logging Subsystem for Red Hat OpenShift', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:network_observ_optr:1'], 'vendor': 'Red Hat', 'product': 'Network Observability Operator', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:red_hat_3scale_amp:2'], 'vendor': 'Red Hat', 'product': 'Red Hat 3scale API Management Platform 2', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:acm:2'], 'vendor': 'Red Hat', 'product': 'Red Hat Advanced Cluster Management for Kubernetes 2', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:amq_broker:7'], 'vendor': 'Red Hat', 'product': 'Red Hat AMQ Broker 7', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:apache_camel_hawtio:4'], 'vendor': 'Red Hat', 'product': 'Red Hat build of Apache Camel - HawtIO 4', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 10', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:8'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:9'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:jboss_fuse:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Fuse 7', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:jboss_enterprise_application_platform:7'], 'vendor': 'Red Hat', 'product': 'Red Hat JBoss Enterprise Application Platform 7', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:jboss_enterprise_application_platform:8'], 'vendor': 'Red Hat', 'product': 'Red Hat JBoss Enterprise Application Platform 8', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:jbosseapxp'], 'vendor': 'Red Hat', 'product': 'Red Hat JBoss Enterprise Application Platform Expansion Pack', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_ai'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift AI (RHOAI)', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift:4'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift Container Platform 4', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_data_foundation:4'], 'vendor': 'Red Hat', 'product': 'Red Hat Openshift Data Foundation 4', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_devspaces:3'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift Dev Spaces', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:jboss_enterprise_bpms_platform:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Process Automation 7', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:red_hat_single_sign_on:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Single Sign-On 7', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:trusted_artifact_signer:1'], 'vendor': 'Red Hat', 'product': 'Red Hat Trusted Artifact Signer', 'defaultStatus': 'unaffected'}]
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    Added CWE CWE-22
    Added Reference https://access.redhat.com/security/cve/CVE-2026-29786
    Added Reference https://bugzilla.redhat.com/show_bug.cgi?id=2445476
    Added Reference https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29786.json
  • CVE Modified by [email protected]

    Jun. 17, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'isaacs', 'product': 'node-tar', 'versions': [{'status': 'affected', 'version': '< 7.5.10'}]}]
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 17, 2026

    Action Type Old Value New Value
    Added SSVC {'id': 'CVE-2026-29786', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'partial'}], 'version': '2.0.3', 'timestamp': '2026-03-09T17:52:29.312917Z'}
  • Initial Analysis by [email protected]

    Mar. 11, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
    Added CWE CWE-22
    Added CPE Configuration OR *cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:* versions up to (excluding) 7.5.10
    Added Reference Type GitHub, Inc.: https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f Types: Patch
    Added Reference Type GitHub, Inc.: https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 Types: Exploit, Vendor Advisory
  • New CVE Received by [email protected]

    Mar. 07, 2026

    Action Type Old Value New Value
    Added Description node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
    Added CVSS V4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-22
    Added CWE CWE-59
    Added Reference https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
    Added Reference https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.