CVE-2026-41245

MEDIUM

Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Title source: cna

Description

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.

References (3)

[X_Refsource_Confirm] https://github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7

[X_Refsource_Misc] https://github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/junrar/junrar/releases/tag/v7.5.10

Scores

CVSS v3 5.9

EPSS 0.0003

EPSS Percentile 10.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

junrar/junrar < 7.5.10

Published Apr 20, 2026

Tracked Since Apr 20, 2026