EXECUTIVE SUMMARY:
CVE-2026-26960 is a high-severity vulnerability in the widely used Node.js tar package where the tar .extract() functionality can be manipulated by an attacker-controlled archive to bypass normal path protections and create hardlinks that point outside the intended extraction directory. This flaw enables arbitrary file read and write operations under the privileges of the extracting process user, potentially exposing sensitive data or modifying critical files. The vulnerability affects all tar versions earlier than 7.5.8, which do not correctly mitigate this hardlink escape through a symlink chain. Its CVSS v3 base score is 7.1 (High), reflecting a locally exploitable issue with low complexity and significant impact on confidentiality and integrity. Exploitation requires user interaction and does not change scope beyond the vulnerable component, but it poses severe risks if untrusted archives are processed without strict safeguards.
RECOMMENDATION:
We strongly recommend you update the Node.js tar package to version 7.5.8.
REFERENCES:
The following reports contain further technical details: