Path Traversal Vulnerability in Cornac Library by PreferredAI
CVE-2026-43637

8.8HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-43637?

The Cornac library prior to version 2.6.0 is susceptible to a path traversal vulnerability, enabling malicious actors to exploit file writing practices. By delivering a specially crafted TAR archive that includes '../' sequences or absolute path definitions, attackers can manipulate the _extract_archive() function to write files outside of defined cache directories. This vulnerability can be triggered via automated dataset loaders, causing the archive.extractall() method to operate beyond its intended filesystem boundaries, thereby compromising system integrity.

Affected Version(s)

cornac 0

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rahul Karne
Bharath Kumar Reddy Janumpally
VulnCheck
.