216.73.216.86

CVE-2026-24846

· Published 29/01/2026 22:15 · Modified 29/01/2026 22:15

Labels: CVE-2026-24846 2026-01-29CVE-2026-24846CWE-22[email protected]

Essential information

Published
29/01/2026 22:15
Modified
29/01/2026 22:15
Author
Creator
CVSS
5.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS metrics

Description

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
malcontent / malcontent cpe:2.3:a:malcontent:malcontent:1.8.0-1.20.2:*:*:*:*:*:*:*
malcontent / malcontent cpe:2.3:a:malcontent:malcontent:1.20.3:*:*:*:*:*:*:*

References