{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-41245: Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-41245","status":"final","version":"1","initial_release_date":"2026-04-20T15:15:24.540Z","current_release_date":"2026-06-30T03:19:13.646Z","revision_history":[{"date":"2026-04-20T15:15:24.540Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-41245 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-41245"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-41245"},{"category":"external","summary":"https://github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7","url":"https://github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7"},{"category":"external","summary":"https://github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7","url":"https://github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7"},{"category":"external","summary":"https://github.com/junrar/junrar/releases/tag/v7.5.10","url":"https://github.com/junrar/junrar/releases/tag/v7.5.10"}]},"product_tree":{"branches":[{"category":"vendor","name":"junrar","branches":[{"category":"product_name","name":"junrar","branches":[{"category":"product_version","name":"< 7.5.10","product":{"name":"junrar junrar < 7.5.10","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:junrar:junrar:\\<_7.5.10:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-41245","title":"Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix","notes":[{"category":"description","text":"Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}