The node-tar library (Version 7.5.2 or earlier) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets.
The Apache Software Foundation has released Apache HTTP Server 2.4.66 to address multiple vulnerabilities in the Apache HTTP Server 2.4 series.
On December 19, 2025, MongoDB disclosed information regarding a vulnerability (CVE-2025-14847) in MongoDB involving information disclosure from uninitialized heap memory. If exploited, an unauthenticated...
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure...
![[CVE-2026-23745][node-tar library]Insufficient Link Path Sanitization](https://episodes.castos.com/695ccba4602289-97122102/images/2327905/c1a-6mz90-mkgxd3q0c6o5-6es9jq.jpg)