{"id":"GHSA-gf2c-jwcj-x929","summary":"vlt Mishandles Path Sanitization for tar","details":"vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.","aliases":["CVE-2026-24909"],"modified":"2026-02-03T03:06:30.744805Z","published":"2026-01-28T00:31:42Z","database_specific":{"severity":"MODERATE","nvd_published_at":"2026-01-27T23:15:50Z","cwe_ids":["CWE-23"],"github_reviewed":true,"github_reviewed_at":"2026-01-28T16:48:36Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24909"},{"type":"WEB","url":"https://github.com/vltpkg/vltpkg/pull/1334"},{"type":"WEB","url":"https://github.com/vltpkg/vltpkg/commit/ff8d4099a1929772cea2adf131285e90ede6b0dd"},{"type":"PACKAGE","url":"https://github.com/vltpkg/vltpkg"},{"type":"WEB","url":"https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10"},{"type":"WEB","url":"https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"},{"type":"WEB","url":"https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}],"affected":[{"package":{"name":"@vltpkg/tar","ecosystem":"npm","purl":"pkg:npm/%40vltpkg/tar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.0-rc.10"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gf2c-jwcj-x929/GHSA-gf2c-jwcj-x929.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"}]}