PULSE
LIVE20signals / 24h
FEED
ransomkrybit reclama a euroins.bg · BG · Financial Servicesransomnova reclama a FMZ Tecnologia em Sistemas · BR · Technologyransomqilin reclama a Heartland Catfish · US · Agriculture and Food Productionransomqilin reclama a Salina Supply · US · Business Servicesransomqilin reclama a St Martha Catholic Church · US · Consumer Servicesransomqilin reclama a The Nueva School · US · Educationransomdragonforce reclama a NewNet · SA · Telecommunicationransomqilin reclama a Sicc · IT · Not Foundransomqilin reclama a KLD Labs · US · Technologyransomqilin reclama a Armara · FR · Not Foundransomqilin reclama a AK Preparedness · Business Servicesransomthreeam reclama a tws-tac.net · DE · Not Foundransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technologyransomkrybit reclama a euroins.bg · BG · Financial Servicesransomnova reclama a FMZ Tecnologia em Sistemas · BR · Technologyransomqilin reclama a Heartland Catfish · US · Agriculture and Food Productionransomqilin reclama a Salina Supply · US · Business Servicesransomqilin reclama a St Martha Catholic Church · US · Consumer Servicesransomqilin reclama a The Nueva School · US · Educationransomdragonforce reclama a NewNet · SA · Telecommunicationransomqilin reclama a Sicc · IT · Not Foundransomqilin reclama a KLD Labs · US · Technologyransomqilin reclama a Armara · FR · Not Foundransomqilin reclama a AK Preparedness · Business Servicesransomthreeam reclama a tws-tac.net · DE · Not Foundransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technology
← All CVEs
CVE WatchJul 9, 2026

CVE-2026-4360

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts c

CVSS

5.3

Medium

EPSS

0.2%

p14

KEV

Exploit Today

4

0-100

Published: Jun 30, 2026 · Last modified: Jul 9, 2026 · CWE-281

EPSS · 30d
0.2%EPSS · 30 days0.3%
2026-07-012026-07-18
Technical description

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2024-463109.1 CRI
82.4%
25Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint14d
CVE-2025-551309.1 CRI
73.6%
22A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.4d
CVE-2022-385778.8 HIG
70.4%
21ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.10d
CVE-2024-548799.1 CRI
55.9%
17SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.14d
CVE-2023-346728.8 HIG
50.2%
15Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases.10d
CVE-2026-398329.1 CRI
41.0%
12When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.1d