What is CVE-2026-26960?

CVE-2026-26960 is a high-severity vulnerability in Isaacs Node-tar, classified under Path Traversal. CVSS score: 7.1/10. Published 2026-02-20.

How severe is CVE-2026-26960?

High severity. CVSS v3 base score is 7.1 out of 10.

Path Traversal in Isaacs Node-tar

CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, en…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (0.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

Affected products

Isaacs Node-tar — versions < 7.5.8

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx (x_refsource_CONFIRM)
https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384 (x_refsource_MISC)
https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26960?: CVE-2026-26960 is a high-severity vulnerability in Isaacs Node-tar, classified under Path Traversal. CVSS score: 7.1/10. Published 2026-02-20.
How severe is CVE-2026-26960?: High severity. CVSS v3 base score is 7.1 out of 10.