CVE-2026-31802 - node-tar Symlink Path Traversal via Drive-Relative Linkpath

CVE ID :CVE-2026-31802 Published : March 10, 2026, 7:44 a.m. | 1 hour, 3 minutes ago Description :node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11. Severity: 8.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...