Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-28208

Опубликовано: 26 фев. 2026
Источник: redhat
CVSS3: 5.9

Описание

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.

A flaw was found in Junrar, an open-source Java RAR archive library. This vulnerability, a backslash path traversal, allows a remote attacker to write arbitrary files to any location on the filesystem when a specially crafted RAR archive is extracted on Linux/Unix systems. This can lead to remote code execution, enabling an attacker to compromise the system by overwriting critical files such as shell profiles or cron jobs.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7junrarFix deferred
Red Hat JBoss Enterprise Application Platform 8junrarFix deferred
Red Hat JBoss Enterprise Application Platform Expansion PackjunrarFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2443166com.github.junrar/junrar: Junrar: Remote code execution via path traversal when extracting crafted RAR archives

5.9 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-28208

CVSS3: 5.9
nvd
29 дней назад

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.

github логотип

GHSA-j273-m5qq-6825

CVSS3: 5.9
github
28 дней назад

Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix

5.9 Medium

CVSS3