{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28208", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T15:28:40.648Z", "datePublished": "2026-02-26T22:20:03.765Z", "dateUpdated": "2026-03-02T20:47:15.670Z"}, "containers": {"cna": {"title": "Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825"}, {"name": "https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954", "tags": ["x_refsource_MISC"], "url": "https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954"}, {"name": "https://github.com/junrar/junrar/releases/tag/v7.5.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/junrar/junrar/releases/tag/v7.5.8"}], "affected": [{"vendor": "junrar", "product": "junrar", "versions": [{"version": "< 7.5.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:20:03.765Z"}, "descriptions": [{"lang": "en", "value": "Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue."}], "source": {"advisory": "GHSA-j273-m5qq-6825", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:47:10.315561Z", "id": "CVE-2026-28208", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:47:15.670Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28208", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T20:47:10.315561Z"}}}], "references": [{"url": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:47:04.767Z"}}], "cna": {"title": "Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix", "source": {"advisory": "GHSA-j273-m5qq-6825", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "junrar", "product": "junrar", "versions": [{"status": "affected", "version": "< 7.5.8"}]}], "references": [{"url": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825", "name": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954", "name": "https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/junrar/junrar/releases/tag/v7.5.8", "name": "https://github.com/junrar/junrar/releases/tag/v7.5.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:20:03.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28208", "state": "PUBLISHED", "dateUpdated": "2026-03-02T20:47:15.670Z", "dateReserved": "2026-02-25T15:28:40.648Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:20:03.765Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:junrar_project:junrar:*:*:*:*:*:*:*:*", "matchCriteriaId": "38B5DED4-B9D7-4E60-8BB6-9D017DECD809", "versionEndExcluding": "7.5.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue."}, {"lang": "es", "value": "Junrar es una biblioteca de archivo RAR de Java de c\u00f3digo abierto. Antes de la versi\u00f3n 7.5.8, una vulnerabilidad de salto de ruta con barra invertida en 'LocalFolderExtractor' permite a un atacante escribir archivos arbitrarios con contenido controlado por el atacante en cualquier lugar del sistema de archivos cuando se extrae un archivo RAR manipulado en Linux/Unix. Esto a menudo puede conducir a la ejecuci\u00f3n remota de c\u00f3digo (por ejemplo, sobrescribiendo perfiles de shell, c\u00f3digo fuente, tareas cron, etc.). La versi\u00f3n 7.5.8 tiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-28208", "lastModified": "2026-03-02T21:16:27.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T23:16:35.440", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/junrar/junrar/releases/tag/v7.5.8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "com.github.junrar/junrar: Junrar: Remote code execution via path traversal when extracting crafted RAR archives", "id": "2443166", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443166"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-28208", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "junrar", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "junrar", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "junrar", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-26T22:20:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28208\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28208\nhttps://github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954\nhttps://github.com/junrar/junrar/releases/tag/v7.5.8\nhttps://github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "junrar", "source": "cna", "vendor": "junrar"}, "product": "junrar", "vendor": "junrar"}], "analysis": {"en": {"generated_at": "2026-04-16T15:57:56.716362+00:00", "value": {"mitigation_remediation": ["Upgrade Junrar to version\u202f7.5.8 or later to obtain the library patch.", "Ensure that all components in your application that call the RAR extraction routine use the updated library and not a retained older copy.", "Restrict or validate any RAR archives before extraction, disallowing input from untrusted or external sources to prevent the flaw from being triggered."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects all versions of the open\u2011source Junrar library prior to version 7.5.8. Junrar developers released version 7.5.8 as a fix; any Java application that relies on Junrar for archive extraction on Linux or Unix systems is impacted if it is using an older version of the library.", "description_and_impact": "A path traversal flaw in Junrar\u2019s LocalFolderExtractor bypasses the backslash handling on Linux/Unix, allowing an attacker to drive the library to write any file with arbitrary content to any location on the filesystem when a crafted RAR archive is extracted. The vulnerability is a classic arbitrary file write condition (CWE\u201122) that can overwrite critical system files, shell profiles, source code, or cron jobs, leading to remote code execution if the archived payload contains malicious scripts or binaries.", "risk_and_exploitability": "The vulnerability scores 5.9 on the CVSS scale and carries an EPSS rating of less than 1\u202f%, indicating a moderate severity and a low likelihood of widespread exploitation. It is not listed in CISA\u2019s KEV catalog, which suggests no known large\u2011scale exploit activity. The exploitation requires an attacker to supply a malicious RAR archive to a process that performs extraction, a condition that is more likely in environments where users or services routinely handle untrusted archives."}}}}, "created": "2026-02-27T09:03:55.630965+00:00", "updated": "2026-04-16T16:00:13.888406+00:00", "vendors": ["junrar", "junrar$PRODUCT$junrar"]}