CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-42496 — Archive::Tar versions before 3.08 for Perl extract symlinks with attacker contro...

·Source: NIST NVD

Updated:

Executive Summary

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted na

Analysis

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path. CVSS Score: 9.1. Published: 2026-05-26T02:16:40.130.

Indicators of Compromise (1)

CVE (1)
CVE-2026-42496
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 26, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Alberto Daniel Hill’s Cybermidnight Coverage of the Latin American Digital Sovereignty Crisis (March–June 2026)

Alberto Daniel Hill’s report is a must-read for anyone who wants to begin to understand what is going on in Argentina, Uruguay, and Mexico with respect to digital security. One of the many limitations of being a solo blogger is that there are entire areas of the world or sectors I basically know nothing about... Source

DataBreaches.net
MEDIUMVulnerability

Why Firms Struggle With Vendor Security After They Sign

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/healthcare-firms-struggle-ongoing-vendor-oversight-image_small-9-a-31826.jpg" align=right hspace=4><b>Study: Monitoring Vendor Risk Remains Much Harder Than Onboarding Third Parties</b><br>Healthcare organizations are getting better vetting third-party vendors, including suppliers of medical devices, software and other products. B

Bank Info Security
LOWVulnerability

Rapid7 Names Wael Mohamed CEO Amid Ongoing Growth Struggles

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/rapid7-names-wael-mohamed-ceo-amid-ongoing-growth-struggles-image_small-2-a-31830.jpg" align=right hspace=4><b>Former Forescout CEO, Trend Micro COO Mohamed Succeeds Corey Thomas After 13 Years</b><br>Rapid7 has appointed former Forescout CEO Wael Mohamed as chief executive, betting that a renewed focus on AI-driven security opera

Bank Info Security