CVE-2026-7774

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-7774
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-7774.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-7774
Aliases
Downstream
Related
Published
2026-06-04T14:21:23.904Z
Modified
2026-06-24T18:29:17.230877394Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
tarfile.data_filter path traversal bypass allows writing outside the extraction directory
Details

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7774.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "PSF"
}
References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type
GIT
Repo
https://github.com/python/cpython
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Introduced
ebf955df7a89ed0c7968f79faec1de49f61ed7cb
Introduced
f31a89bb901067dd105b00cfa90523cf7ffdbbdd
Fixed
fd17997c3866d61e0e7bd8201b1d8f35b40a40bd
Fixed
c63aec69bd59c55314c06c23f4c22c03de76fe45
Fixed
94a64bbc6ce89644cf02b82c723d9cc37f6a1870
Fixed
0478bd83d82b255e0f29f613367a59d261e7eaa2
Fixed
0d28f5e46e151718972dfabd91205444d0037b6d
Fixed
578411982c16f753f4893532510099ef665117da
Fixed
5cf47a248c35c375d610b87b2f72fd1ed454b558
Fixed
74cca9a92fb7d653e404843a56b8bdc7b0afdbbf
Database specific 
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.13.14"
        },
        {
            "introduced": "3.14.0"
        },
        {
            "fixed": "3.14.6"
        },
        {
            "introduced": "3.15.0a1"
        },
        {
            "fixed": "3.15.0b2"
        }
    ]
}

Affected versions

v0.*
v0.9.8
v0.9.9
v1.*
v1.0.1
v1.0.2
v1.1
v1.1.1
v1.2
v1.2b1
v1.2b2
v1.2b3
v1.2b4
v1.3
v1.3b1
v1.4
v1.4b1
v1.4b2
v1.4b3
v1.5
v1.5.1
v1.5.2
v1.5.2a1
v1.5.2a2
v1.5.2b1
v1.5.2b2
v1.5.2c1
v1.5a1
v1.5a2
v1.5a3
v1.5a4
v1.5b1
v1.5b2
v1.6a1
v1.6a2
v2.*
v2.0
v2.0b1
v2.0b2
v2.0c1
v2.1
v2.1a1
v2.1a2
v2.1b1
v2.1b2
v2.1c1
v2.1c2
v2.2a3
v2.3c1
v2.3c2
v2.4
v2.4a1
v2.4a2
v2.4a3
v2.4b1
v2.4b2
v2.4c1
v3.*
v3.0a1
v3.0a2
v3.0a3
v3.0a4
v3.0a5
v3.0b1
v3.0b2
v3.0b3
v3.0rc1
v3.0rc2
v3.0rc3
v3.1
v3.10.0a1
v3.10.0a7
v3.11.0a3
v3.11.0a4
v3.11.0a5
v3.11.0a6
v3.11.0a7
v3.11.0b1
v3.12.0
v3.12.0a1
v3.12.0a2
v3.12.0a3
v3.12.0a4
v3.12.0a5
v3.12.0a6
v3.12.0a7
v3.12.0b1
v3.12.0b2
v3.12.0b3
v3.12.0b4
v3.12.0rc1
v3.12.0rc2
v3.12.0rc3
v3.12.1
v3.12.10
v3.12.11
v3.12.12
v3.12.13
v3.12.2
v3.12.3
v3.12.4
v3.12.5
v3.12.6
v3.12.7
v3.12.8
v3.12.9
v3.13.0
v3.13.0a1
v3.13.0a2
v3.13.0a3
v3.13.0a4
v3.13.0a5
v3.13.0a6
v3.13.0b1
v3.13.0b2
v3.13.0b3
v3.13.0b4
v3.13.0rc1
v3.13.0rc2
v3.13.0rc3
v3.13.1
v3.13.10
v3.13.11
v3.13.12
v3.13.13
v3.13.2
v3.13.3
v3.13.4
v3.13.5
v3.13.6
v3.13.7
v3.13.8
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.14.4
v3.14.5
v3.14.5rc1
v3.15.0b1
v3.1a1
v3.1a2
v3.1b1
v3.1rc1
v3.1rc2
v3.2a1
v3.2a2
v3.2a3
v3.2a4
v3.2b1
v3.2b2
v3.2rc1
v3.2rc2
v3.2rc3
v3.3.0a2
v3.3.0a3
v3.3.0a4
v3.3.0b1
v3.3.0b2
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.4.0a1
v3.4.0a2
v3.4.0a3
v3.4.0a4
v3.4.0b1
v3.4.0b2
v3.4.0b3
v3.5.0a1
v3.5.0a2
v3.5.0a3
v3.5.0a4
v3.5.0b1
v3.6.0a3
v3.6.0b1
v3.7.0a2
v3.9.0a2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-7774.json"