Description
Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.
Published: 2026-04-20
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized file write
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw, designated CWE-22, located in the LocalFolderExtractor component of the Junrar Java library. An attacker can construct a RAR archive that contains a file whose member name begins with a sibling directory prefix. When the archive is extracted, the library writes the file into the sibling directory, allowing the attacker to create or overwrite arbitrary files with attacker-controlled data. Because the content is fully under the attacker’s control, the flaw can lead to unauthorized file writes, potentially overwriting existing files or placing new files where the application does not expect them.

Affected Systems

Affected systems include any Java application that incorporates junrar:junrar prior to version 7.5.10. Versions older than v7.5.10 are vulnerable. The issue is fixed in junrar 7.5.10 and later releases. The product is an open‑source RAR archive handling library used in projects that process compressed files.

Risk and Exploitability

The CVSS score of 5.9 classifies the vulnerability as medium severity, and there is no EPSS score indicating current exploitation probability. The flaw is not listed in the CISA KEV catalog. The most likely way to exploit the issue is by supplying a crafted RAR archive to an application that uses the vulnerable library, which is typically a local or vendor‑side operation. The impact is limited to the machine or container where extraction occurs, but can still result in unauthorized file creation or overwrite.

Generated by OpenCVE AI on April 20, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Junrar library to version 7.5.10 or later to eliminate the path traversal flaw
  • Configure the extraction process to validate and sanitize file paths, rejecting any RAR entries that reference sibling directories or use relative paths outside the intended extraction directory
  • Run the extraction operation in a sandboxed or restricted environment to limit the scope of any unauthorized file writes

Generated by OpenCVE AI on April 20, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Junrar
Junrar junrar
Vendors & Products Junrar
Junrar junrar

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.
Title Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Junrar Junrar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:35:09.317Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41245

cve-icon Vulnrichment

Updated: 2026-04-20T16:35:04.276Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:49.113

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-41245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses