CVE-2026-24909

MEDIUM

vltpkg/tar < 1.0.0-rc.10 - Path Traversal during Extraction

Title source: llm

vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.

Core 4

Core References

Various Sources

Various Sources

Issue Tracking

Release Notes

CVSS v3 5.9

EPSS 0.0018

EPSS Percentile 7.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

CWE

CWE-23

Status published

Products (2)

vlt/vlt < 1.0.0-rc.10

vltpkg/tar 0 - 1.0.0-rc.10npm

Published Jan 27, 2026

Tracked Since Feb 18, 2026