vlt, Path Traversal Vulnerability, CVE-2026-????? (Moderate)

Listen to this Post

The vulnerability in vlt (before version 1.0.0-rc.10) stems from insufficient sanitization of file paths within tar archive entries during the extraction process. When vlt extracts a tar file, it fails to properly validate and neutralize pathnames containing directory traversal sequences (e.g., ../../../../etc/passwd). An attacker can craft a malicious tar archive where a file entry’s name contains these sequences. During extraction, the software concatenates this unsanitized entry name to the target destination directory without resolving the `..` components to prevent escape. Consequently, the file is written to an arbitrary location outside the intended extraction directory, determined by the number of parent directory traversals in the path. This allows for arbitrary file overwrite on the host filesystem, potentially leading to remote code execution if critical system or application files are replaced.
Platform: vlt
Version: <1.0.0-rc.10
Vulnerability: Path Traversal
Severity: Moderate
date: Jan 28 2026

Prediction: Feb 04 2026

What Undercode Say:

Analytics

Identify vlt version
vlt --version
Simulate vulnerable extraction
tar -tf malicious.tar
Output: ../../../../tmp/exploit.sh
Check for patch in source
grep -r "sanitizePath|secureExtract" src/

How Exploit:

1. Attacker creates tar archive with malicious path.

2. User executes `vlt` to extract the archive.

  1. Payload is written to system location (e.g., /etc/cron.d).

4. Payload execution leads to compromise.

Protection from this CVE

  • Upgrade to vlt >=1.0.0-rc.10.
  • Extract archives in isolated containers.
  • Pre-extract path audit using tar -tf.

Impact:

Arbitrary File Overwrite

Potential RCE

Integrity Loss

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top