{"id":"AZL-79556","summary":"CVE-2026-29786 affecting package tar 1.34-3","details":"node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.","modified":"2026-04-01T05:23:29.029421Z","published":"2026-03-07T16:15:55Z","upstream":["CVE-2026-29786"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29786"}],"affected":[{"package":{"name":"tar","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/tar"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.34-3"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-79556.json"}}],"schema_version":"1.7.5"}