Path Traversal Vulnerability in Junrar Java RAR Archive Library
CVE-2026-28208

5.9MEDIUM

Key Information:

Vendor

Junrar

Status
Junrar
Vendor
CVE Published:
26 February 2026

What is CVE-2026-28208?

The Junrar library, an open-source Java RAR archive utility, is susceptible to a path traversal vulnerability prior to version 7.5.8. This issue is due to improper validation in the LocalFolderExtractor component, enabling an attacker to extract crafted RAR files that can result in the writing of arbitrary files throughout the filesystem on Linux/Unix systems. This vulnerability may potentially lead to severe consequences, including remote code execution, allowing malicious actors to overwrite critical system files, including shell profiles and cron jobs. Version 7.5.8 rectifies this vulnerability, and users are encouraged to upgrade their installations promptly.

Affected Version(s)

junrar < 7.5.8

References

https://github.com/junrar/junrar/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/junrar/junrar/commit/947ff1d33f00f940a...
x_refsource_MISC
https://github.com/junrar/junrar/releases/tag/v7.5.8
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.