Path Traversal in Python Software Foundation Cpython

CVE-2026-11940

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's a…

Vulnerability class: Path Traversal (Directory Traversal)