CVE-2026-28208
Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.
| CWE | CWE-22 |
| Vendor | junrar |
| Product | junrar |
| Published | Feb 26, 2026 |
| Last Updated | Mar 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for junrar junrar
Be the first to know when new medium vulnerabilities affecting junrar junrar are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
junrar / junrar
< 7.5.8