CVE-2026-24909: vlt Mishandles Path Sanitization for tar
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
References
- github.com/advisories/GHSA-gf2c-jwcj-x929
- github.com/vltpkg/vltpkg
- github.com/vltpkg/vltpkg/commit/ff8d4099a1929772cea2adf131285e90ede6b0dd
- github.com/vltpkg/vltpkg/pull/1334
- github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10
- nvd.nist.gov/vuln/detail/CVE-2026-24909
- www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
- www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack
Code Behaviors & Features
Detect and mitigate CVE-2026-24909 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →