CVE-2026-26960

HighPublic PoC

Published: 20 February 2026

Published

20 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0001 0.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26960 is a high-severity Path Traversal (CWE-22) vulnerability in Isaacs Tar. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

Why these techniques?

Malicious tar archive requires user extraction (T1204.002) to trigger path traversal, directly enabling arbitrary local file reads (T1005) and writes of attacker-controlled content to any path (T1105).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read…

and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

Deeper analysisAI

CVE-2026-26960 affects node-tar, a full-featured Tar library for Node.js, in versions 7.5.7 and prior. The vulnerability allows an attacker-controlled archive to create a hardlink within the extraction directory that references a file outside the intended extraction root. This path traversal issue (CWE-22) bypasses standard protections, effectively turning archive extraction into a primitive for arbitrary filesystem read and write operations executed with the privileges of the extracting user. Published on 2026-02-20, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), rated high severity.

A local attacker with low complexity can exploit this by tricking a user into extracting a malicious tar archive using default options. No privileges are required from the attacker, but user interaction is needed to initiate extraction. Successful exploitation grants high-impact confidentiality and integrity violations, such as reading sensitive files or overwriting arbitrary ones outside the extraction directory, without affecting availability.

The issue is addressed in node-tar version 7.5.8. Relevant GitHub resources include the security advisory at GHSA-83g3-92jg-28cx and fixing commits 2cb1120bcefe28d7ecc719b41441ade59c52e384 and d18e4e1f846f4ddddc153b0f536a19c050e7499f, which practitioners should review for patch details and upgrade guidance.