EXECUTIVE SUMMARY:
A path traversal vulnerability has been identified CVE‑2026‑24909 in the npm package vltpkg tar affecting all versions, where inadequate sanitization of file paths during tar archive extraction can be leveraged by a malicious actor to write files to arbitrary locations outside the intended extraction directory. This behavior could be abused in software supply chains or automated build environments that consume this package, potentially leading to integrity compromise of the host environment or injection of unauthorized files. Users and automated systems that depend on this package in their workflows are advised to update to the patched version to mitigate this vulnerability. The vulnerability has a CVSS score of 5.9.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: