CVE-2026-12565
Path Traversal (Zip-Slip) in unarchive module
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.
| CWE | CWE-22 |
| Vendor | black lantern security |
| Product | bbot |
| Published | Jun 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for black lantern security bbot
Be the first to know when new medium vulnerabilities affecting black lantern security bbot are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
Black Lantern Security / BBOT
2.3.1 โค <=2.8.4