Description
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
Published: 2026-01-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal allowing arbitrary file modification during tar extraction
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves a failure to correctly sanitize file paths when extracting tar archives in vlt. This path traversal flaw, identified as CWE-23, permits a malicious archive to create or overwrite files outside the intended extraction directory. If an attacker can influence the contents of a tar file processed by vlt, they could place files in sensitive locations or even overwrite system configuration, potentially leading to privilege escalation or denial of service.

Affected Systems

The issue affects all releases of the vlt package before version 1.0.0‑rc.10. Vendors and users should verify that they are running v1.0.0‑rc.10 or later. All earlier releases, including release candidates up to rc.9, are vulnerable.

Risk and Exploitability

The CVSS base score of 5.9 categorizes the flaw as moderate, and the EPSS score indicates a low likelihood of exploitation (<1%). It is not listed in the CISA KEV catalog. The simplest exploitation path is delivering a crafted tar file to a system running vlt and invoking the extraction routine. Because the flaw does not require network exposure and depends on local execution of vlt, an attacker must either have local access or be able to trick a user or automated process into opening a malicious archive.

Generated by OpenCVE AI on April 18, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vlt to version 1.0.0‑rc.10 or later.
  • If upgrading immediately is not possible, process tar archives only from trusted sources and manually verify extracted file paths against the intended directory to prevent files from being written outside the target folder.
  • Run vlt in a restricted environment or container that limits write permissions to the extraction target until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gf2c-jwcj-x929 vlt Mishandles Path Sanitization for tar
History

Sat, 18 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Path Traversal in vlt Tar Extraction

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Vlt
Vlt vlt
Vendors & Products Vlt
Vlt vlt

Tue, 27 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
References

Tue, 27 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Vlt Vlt
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-01-28T21:18:16.797Z

Reserved: 2026-01-27T22:14:37.414Z

Link: CVE-2026-24909

cve-icon Vulnrichment

Updated: 2026-01-28T21:18:11.018Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T23:15:50.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses