Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-24909

Good to know:

icon
icon

Date: January 27, 2026

vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.

Severity Score

Related Resources (8)

https://github.com/vltpkg/vltpkg
https://github.com/vltpkg/vltpkg/pull/1334
https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10
https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack
https://nvd.nist.gov/vuln/detail/CVE-2026-24909
https://github.com/vltpkg/vltpkg/commit/ff8d4099a1929772cea2adf131285e90ede6b0dd
https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
https://www.mend.io/vulnerability-database/CVE-2026-24909

Severity Score

Weakness Type (CWE)

Relative Path Traversal

CWE-23

Top Fix

icon

Upgrade Version

Upgrade to version vlt - 1.0.0-rc.10;@vltpkg/tar - 1.0.0-rc.10;https://github.com/vltpkg/vltpkg.git - v1.0.0-rc.10

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us