Description
Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.
Published: 2026-02-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

A path traversal flaw in Junrar’s LocalFolderExtractor bypasses the backslash handling on Linux/Unix, allowing an attacker to drive the library to write any file with arbitrary content to any location on the filesystem when a crafted RAR archive is extracted. The vulnerability is a classic arbitrary file write condition (CWE‑22) that can overwrite critical system files, shell profiles, source code, or cron jobs, leading to remote code execution if the archived payload contains malicious scripts or binaries.

Affected Systems

The issue affects all versions of the open‑source Junrar library prior to version 7.5.8. Junrar developers released version 7.5.8 as a fix; any Java application that relies on Junrar for archive extraction on Linux or Unix systems is impacted if it is using an older version of the library.

Risk and Exploitability

The vulnerability scores 5.9 on the CVSS scale and carries an EPSS rating of less than 1 %, indicating a moderate severity and a low likelihood of widespread exploitation. It is not listed in CISA’s KEV catalog, which suggests no known large‑scale exploit activity. The exploitation requires an attacker to supply a malicious RAR archive to a process that performs extraction, a condition that is more likely in environments where users or services routinely handle untrusted archives.

Generated by OpenCVE AI on April 16, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Junrar to version 7.5.8 or later to obtain the library patch.
  • Ensure that all components in your application that call the RAR extraction routine use the updated library and not a retained older copy.
  • Restrict or validate any RAR archives before extraction, disallowing input from untrusted or external sources to prevent the flaw from being triggered.

Generated by OpenCVE AI on April 16, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j273-m5qq-6825 Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix
History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Junrar Project
Junrar Project junrar
CPEs cpe:2.3:a:junrar_project:junrar:*:*:*:*:*:*:*:*
Vendors & Products Junrar Project
Junrar Project junrar

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Junrar
Junrar junrar
Vendors & Products Junrar
Junrar junrar

Thu, 26 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.
Title Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Junrar Junrar
Junrar Project Junrar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:47:15.670Z

Reserved: 2026-02-25T15:28:40.648Z

Link: CVE-2026-28208

cve-icon Vulnrichment

Updated: 2026-03-02T20:47:04.767Z

cve-icon NVD

Status : Modified

Published: 2026-02-26T23:16:35.440

Modified: 2026-03-02T21:16:27.533

Link: CVE-2026-28208

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T22:20:03Z

Links: CVE-2026-28208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses