Path Traversal Vulnerability in Archive Extraction for GNU Tar by Various Vendors
CVE-2026-12565

5.3MEDIUM

Key Information:

Vendor: Black Lantern Security
Status: Bbot
Vendor: CVE Published:; 17 June 2026

🔔 Create Black Lantern Security Vulnerability Alert

What is CVE-2026-12565?

The vulnerability in the internal module's archive extraction commands arises from a lack of code-level validation on the extracted file paths. This oversight relies heavily on external tools like GNU tar, which exhibit inconsistent behaviors across different platforms. Specifically, on systems using GNU Tar versions below 1.34, such as Ubuntu 20.04, Debian Buster, and CentOS 7, a maliciously crafted archive can exploit this flaw to write files outside the intended extraction directory, posing significant security risks.

Affected Version(s)

BBOT 2.3.1

References

https://github.com/blacklanternsecurity/bbot/commit/4fb38...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-12565 Data

JSON