{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-24909", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-27T22:14:37.414Z", "datePublished": "2026-01-27T22:14:37.716Z", "dateUpdated": "2026-01-28T21:18:16.797Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "vlt", "vendor": "vlt", "versions": [{"lessThan": "1.0.0-rc.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-27T22:34:51.187Z"}, "references": [{"url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}, {"url": "https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10"}, {"url": "https://github.com/vltpkg/vltpkg/pull/1334"}, {"url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T21:18:03.904306Z", "id": "CVE-2026-24909", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:18:16.797Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24909", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T21:18:03.904306Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:18:11.018Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "vlt", "product": "vlt", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.0-rc.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}, {"url": "https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10"}, {"url": "https://github.com/vltpkg/vltpkg/pull/1334"}, {"url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-27T22:34:51.187Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24909", "state": "PUBLISHED", "dateUpdated": "2026-01-28T21:18:16.797Z", "dateReserved": "2026-01-27T22:14:37.414Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-27T22:14:37.716Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction."}, {"lang": "es", "value": "vlt anterior a 1.0.0-rc.10 maneja incorrectamente la sanitizaci\u00f3n de rutas para tar, lo que lleva a un salto de ruta durante la extracci\u00f3n."}], "id": "CVE-2026-24909", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 4.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-01-27T23:15:50.680", "references": [{"source": "cve@mitre.org", "url": "https://github.com/vltpkg/vltpkg/pull/1334"}, {"source": "cve@mitre.org", "url": "https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10"}, {"source": "cve@mitre.org", "url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"}, {"source": "cve@mitre.org", "url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:53:25.175869+00:00", "value": {"mitigation_remediation": ["Upgrade vlt to version 1.0.0\u2011rc.10 or later.", "If upgrading immediately is not possible, process tar archives only from trusted sources and manually verify extracted file paths against the intended directory to prevent files from being written outside the target folder.", "Run vlt in a restricted environment or container that limits write permissions to the extraction target until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Path Traversal allowing arbitrary file modification during tar extraction"}, "threat_synthesis": {"affected_systems": "The issue affects all releases of the vlt package before version 1.0.0\u2011rc.10. Vendors and users should verify that they are running v1.0.0\u2011rc.10 or later. All earlier releases, including release candidates up to rc.9, are vulnerable.", "description_and_impact": "The vulnerability involves a failure to correctly sanitize file paths when extracting tar archives in vlt. This path traversal flaw, identified as CWE-23, permits a malicious archive to create or overwrite files outside the intended extraction directory. If an attacker can influence the contents of a tar file processed by vlt, they could place files in sensitive locations or even overwrite system configuration, potentially leading to privilege escalation or denial of service.", "risk_and_exploitability": "The CVSS base score of 5.9 categorizes the flaw as moderate, and the EPSS score indicates a low likelihood of exploitation (<1%). It is not listed in the CISA KEV catalog. The simplest exploitation path is delivering a crafted tar file to a system running vlt and invoking the extraction routine. Because the flaw does not require network exposure and depends on local execution of vlt, an attacker must either have local access or be able to trick a user or automated process into opening a malicious archive."}}}}, "created": "2026-01-28T12:21:54.017442+00:00", "title": "Path Traversal in vlt Tar Extraction", "updated": "2026-04-18T02:00:10.466974+00:00", "vendors": ["vlt", "vlt$PRODUCT$vlt"]}