CVE-2026-41245

MEDIUM 5.9

Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.

CWE	CWE-22
Vendor	junrar
Product	junrar
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for junrar junrar

Be the first to know when new medium vulnerabilities affecting junrar junrar are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

junrar / junrar

< 7.5.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7 github.com: https://github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7 github.com: https://github.com/junrar/junrar/releases/tag/v7.5.10