CVE Catalog

CVE-2026-29509

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

A path traversal vulnerability in Patool before version 4.0.5 in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12 allows attackers to write arbitrary files by supplying a malicious archive with specially crafted member paths.

Risk Assessment

The risk involves the possibility of overwriting or creating arbitrary files on the victim's system, which could lead to application or system compromise depending on the context in which Patool is used.

Recommendation

Immediately update Patool to version 4.0.5 or later. If an update is not possible, use Python version 3.12 or later, which includes security fixes for this function.

Original NVD description (English source)

Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS