CVE-2026-41245
Published: 20 April 2026
Summary
CVE-2026-41245 is a medium-severity Path Traversal (CWE-22) vulnerability in Junrar Project Junrar. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-41245 is a path traversal vulnerability (CWE-22) in the Junrar open-source Java RAR archive library, affecting versions prior to 7.5.10. The flaw resides in the `LocalFolderExtractor` component, which mishandles crafted RAR archives during extraction, enabling attackers to write arbitrary files containing attacker-controlled content into sibling directories relative to the extraction target.
The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating a network-vector attack with high attack complexity but no privileges or user interaction required. Remote attackers can exploit it by tricking victims into extracting a malicious RAR archive processed by vulnerable Junrar instances, achieving arbitrary file writes outside the intended extraction directory and potentially leading to integrity compromises such as overwriting configuration files or injecting malicious scripts.
Mitigation is available via upgrade to Junrar version 7.5.10, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-hf5p-q87m-crj7), release notes, and the fixing commit (d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7). Security practitioners should audit applications using Junrar for unpatched versions and validate RAR inputs where possible.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23872
Vulnerability details
Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version…
more
7.5.10 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in RAR extraction enables arbitrary file writes via crafted malicious archives, directly facilitating exploitation of public-facing apps processing user-supplied RARs (T1190) and user execution of malicious files (T1204.002) to achieve file writes or script injection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and remediation of the path traversal flaw in vulnerable Junrar versions to prevent exploitation.
Mandates validation of RAR archive inputs, including paths, to block crafted archives from enabling traversal outside intended directories.
Enables vulnerability scanning to identify and report systems using unpatched Junrar libraries affected by this path traversal CVE.