Vulnerability Description
Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/wummel/patool/blob/main/doc/changelog.txt
- https://github.com/wummel/patool/releases/tag/4.0.5
- https://www.vulncheck.com/advisories/patool-path-traversal-via-safe-extract-func
FAQ
What is CVE-2026-29509?
CVE-2026-29509 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper...
How severe is CVE-2026-29509?
CVE-2026-29509 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29509?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.