{"id":"AZL-79553","summary":"CVE-2026-29786 affecting package tar 1.35-2","details":"node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.","modified":"2026-04-01T05:23:29.020385Z","published":"2026-03-07T16:15:55Z","upstream":["CVE-2026-29786"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29786"}],"affected":[{"package":{"name":"tar","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/tar"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.35-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-79553.json"}}],"schema_version":"1.7.5"}