CVE-2026-4360
LOWPython Software Foundation CPython - Tarfile.extract() Doesn't Fully Respect Filter Parameter
Title source: ruleDescription
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
References (7)
Core 7
Core References
Vendor Advisory vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/
Patch patch
https://github.com/python/cpython/pull/151988
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/151987
Scores
CVSS v4
2.0
EPSS
0.0030
EPSS Percentile
22.2%
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-281
Status
published
Products (1)
Python Software Foundation/CPython
< 3.15.0
Published
Jun 30, 2026
Tracked Since
Jun 30, 2026