CVE-2026-29509
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A path traversal vulnerability in Patool before version 4.0.5 in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12 allows attackers to write arbitrary files by supplying a malicious archive with specially crafted member paths.
Risk Assessment
The risk involves the possibility of overwriting or creating arbitrary files on the victim's system, which could lead to application or system compromise depending on the context in which Patool is used.
Recommendation
Immediately update Patool to version 4.0.5 or later. If an update is not possible, use Python version 3.12 or later, which includes security fixes for this function.
Original NVD description (English source)
Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.

