BIT-python-min-2026-4360

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/python-min/BIT-python-min-2026-4360.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-python-min-2026-4360
Aliases
Published
2026-07-08T11:36:20.303Z
Modified
2026-07-08T12:11:22.067004594Z
Summary
Tarfile.extract() doesn't fully respect filter parameter
Details

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

Database specific
{
    "severity": "Low",
    "cpes": [
        "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / python-min

Package

Name
python-min
Purl
pkg:bitnami/python-min

Severity

  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/python-min/BIT-python-min-2026-4360.json"