CVE-2026-41245: Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

April 16, 2026 (updated April 24, 2026)

A path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted.

References

github.com/advisories/GHSA-hf5p-q87m-crj7
github.com/junrar/junrar
github.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7
github.com/junrar/junrar/releases/tag/v7.5.10
github.com/junrar/junrar/security/advisories/GHSA-hf5p-q87m-crj7
nvd.nist.gov/vuln/detail/CVE-2026-41245

Code Behaviors & Features

Detect and mitigate CVE-2026-41245 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →