Path Traversal Vulnerability in Cornac Library by PreferredAI
CVE-2026-43637
8.8HIGH
What is CVE-2026-43637?
The Cornac library prior to version 2.6.0 is susceptible to a path traversal vulnerability, enabling malicious actors to exploit file writing practices. By delivering a specially crafted TAR archive that includes '../' sequences or absolute path definitions, attackers can manipulate the _extract_archive() function to write files outside of defined cache directories. This vulnerability can be triggered via automated dataset loaders, causing the archive.extractall() method to operate beyond its intended filesystem boundaries, thereby compromising system integrity.
Affected Version(s)
cornac 0
References
CVSS V4
Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Rahul Karne
Bharath Kumar Reddy Janumpally
VulnCheck
