greprules.io
Sign inSubmit rule
Explore/cve-2026-40491-archive-extractall-path-traversal

CVE-2026-40491: Archive Extractall Path Traversal

Calling `extractall()` on an archive object without validating member paths can result in a path traversal (ZipSlip/TarSlip) vulnerability. Verify that the archive members resolve strictly within the intended target directory, pass a restrictively filtered `members=` list, or use `filter='data'` (Python 3.12+).

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0python
greprules fetch cve-2026-40491-archive-extractall-path-traversal --engine opengrep

Description

Calling `extractall()` on an archive object without validating member paths can result in a path traversal (ZipSlip/TarSlip) vulnerability. Verify that the archive members resolve strictly within the intended target directory, pass a restrictively filtered `members=` list, or use `filter='data'` (Python 3.12+).

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
108 downloads0 direct108 via packs
· 0 stars · Trust score 61How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata