CVE-2026-4360
Tarfile.extract() doesn't fully respect filter parameter
Vexday Risk Score
8Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 2EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
30 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Productos afectados
Python Software Foundation · CPython¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0ahttps://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15ehttps://github.com/python/cpython/issues/151987https://github.com/python/cpython/pull/151988https://mail.python.org/archives/list/security-announce@python.org/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/