Cyber Resilience

CVE-2026-28208

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0021 43.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28208 is a medium-severity Path Traversal (CWE-22) vulnerability in Junrar Project Junrar. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cron (T1053.003); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is…

more

extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
Why these techniques?

Path traversal in archive extraction directly enables overwriting cron jobs (T1053.003) and Unix shell profiles (T1546.004) for RCE/persistence on Linux.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

junrar project
junrar
≤ 7.5.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References