Description
Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.
Published: 2026-02-26
Score: 5.9 Medium
EPSS: 12.0% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Junrar, the open-source Java RAR extraction library, contains a backslash path‑traversal flaw in its LocalFolderExtractor component. The flaw bypasses backslash handling on Linux/Unix, permitting an attacker to instruct the library to write any file with attacker‑controlled content to any arbitrary location on the filesystem when a crafted RAR archive is extracted. Because the library writes files without validating the target path, the vulnerability is an arbitrary file write (CWE‑22). If the crafted archive contains malicious scripts or binaries, overwriting configuration, shell profiles, source files, or cron jobs can lead to remote code execution.

Affected Systems

The issue affects all versions of the open‑source Junrar library before the 7.5.8 release. Junrar version 7.5.8 and later contain the fix. Any Java application that uses Junrar for archive extraction on a Linux or Unix system is susceptible if it is using an older version.

Risk and Exploitability

The vulnerability scores 5.9 on the CVSS scale and carries an EPSS rating of 12 %, indicating a moderate risk of exploitation. It is not listed in CISA’s KEV catalog, suggesting no known large‑scale exploit activity. Exploitation requires an attacker to supply a malicious RAR archive to a process that performs extraction, which is more likely in environments where users or services routinely handle untrusted archives.

Generated by OpenCVE AI on June 24, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Junrar to version 7.5.8 or later to receive the fix.
  • Ensure that all components in your application that call the RAR extraction routine use the updated library and not a retained older copy.
  • Restrict or validate any RAR archives before extraction, disallowing input from untrusted or external sources to prevent the flaw from being triggered.

Generated by OpenCVE AI on June 24, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j273-m5qq-6825 Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix
History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Junrar Project
Junrar Project junrar
CPEs cpe:2.3:a:junrar_project:junrar:*:*:*:*:*:*:*:*
Vendors & Products Junrar Project
Junrar Project junrar

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Junrar
Junrar junrar
Vendors & Products Junrar
Junrar junrar

Thu, 26 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.
Title Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Junrar Junrar
Junrar Project Junrar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:47:15.670Z

Reserved: 2026-02-25T15:28:40.648Z

Link: CVE-2026-28208

cve-icon Vulnrichment

Updated: 2026-03-02T20:47:04.767Z

cve-icon NVD

Status : Modified

Published: 2026-02-26T23:16:35.440

Modified: 2026-06-17T10:28:20.073

Link: CVE-2026-28208

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T22:20:03Z

Links: CVE-2026-28208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')