Patool before 4.0.5 contains a path traversal vulnerability in the safeextract() function in patoolib/programs/pytarfile.py when running on Python before 3.12, where the iswithindirectory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29509.json",
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-22"
]
}