Cyber Resilience

CVE-2026-41245

MediumUpdated

Published: 20 April 2026

Published
20 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0032 23.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-41245 is a medium-severity Path Traversal (CWE-22) vulnerability in Junrar Project Junrar. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-41245 is a path traversal vulnerability (CWE-22) in the Junrar open-source Java RAR archive library, affecting versions prior to 7.5.10. The flaw resides in the `LocalFolderExtractor` component, which mishandles crafted RAR archives during extraction, enabling attackers to write arbitrary files containing attacker-controlled content into sibling directories relative to the extraction target.

The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating a network-vector attack with high attack complexity but no privileges or user interaction required. Remote attackers can exploit it by tricking victims into extracting a malicious RAR archive processed by vulnerable Junrar instances, achieving arbitrary file writes outside the intended extraction directory and potentially leading to integrity compromises such as overwriting configuration files or injecting malicious scripts.

Mitigation is available via upgrade to Junrar version 7.5.10, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-hf5p-q87m-crj7), release notes, and the fixing commit (d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7). Security practitioners should audit applications using Junrar for unpatched versions and validate RAR inputs where possible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version…

more

7.5.10 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Path traversal in RAR extraction enables arbitrary file writes via crafted malicious archives, directly facilitating exploitation of public-facing apps processing user-supplied RARs (T1190) and user execution of malicious files (T1204.002) to achieve file writes or script injection.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2025-11002Shared CWE-22

Affected Assets

junrar project
junrar
≤ 7.5.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and remediation of the path traversal flaw in vulnerable Junrar versions to prevent exploitation.

prevent

Mandates validation of RAR archive inputs, including paths, to block crafted archives from enabling traversal outside intended directories.

detect

Enables vulnerability scanning to identify and report systems using unpatched Junrar libraries affected by this path traversal CVE.

References