CVE-2026-11940
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk44th percentile — higher than 44% of all known CVEs
Summary
A vulnerability in tarfile.extractall() with the 'data' or 'tar' filter can be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name. The validation checks the symlink at its archived location but recreates it at the hardlink's shallower path, allowing escape from the destination directory.
Risk Assessment
An attacker can exploit this to read or write files outside the destination directory, potentially leading to data confidentiality breaches or unauthorized system modifications.
Recommendation
Immediately update the Python library to a version containing the fix for CVE-2026-11940. Until updated, avoid using extractall() with 'data' or 'tar' filters on untrusted archives.
Original NVD description (English source)
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory. This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.

