Description
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
References (4)
Scores
CVSS v3
5.9
EPSS
0.0001
EPSS Percentile
0.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-23
Status
published
Products (2)
vlt/vlt
< 1.0.0-rc.10
vltpkg/tar
0 - 1.0.0-rc.10npm
Published
Jan 27, 2026
Tracked Since
Feb 18, 2026