Arbitrary File Read and Write Vulnerability in Node.js Tar by Isaac's
CVE-2026-26960

7.1HIGH

Key Information:

Vendor

Isaacs

Status
Node-tar
Vendor
CVE Published:
20 February 2026

What is CVE-2026-26960?

The node-tar library for Node.js has a significant vulnerability that allows an attacker to create hardlinks to files outside the extraction directory when using default options in versions 7.5.7 and earlier. This flaw bypasses standard path protections during archive extraction, granting the extracting user arbitrary read and write access to the filesystem. This vulnerability highlights the importance of secure package handling and has been rectified in version 7.5.8, where enhanced safeguards prevent such exploitation.

Affected Version(s)

node-tar < 7.5.8

References

https://github.com/isaacs/node-tar/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d...
x_refsource_MISC
https://github.com/isaacs/node-tar/commit/d18e4e1f846f4dd...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.