CVE-2026-43637 PUBLISHED

Cornac < 2.6.0 Path Traversal via _extract_archive() in download.py

Assigner: VulnCheck
Reserved: 01.05.2026 Published: 15.07.2026 Updated: 15.07.2026

Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor PreferredAI
Product cornac
Versions Default: affected
  • affected from 0 to 2.6.0 (excl.)

Credits

  • Rahul Karne finder
  • Bharath Kumar Reddy Janumpally finder
  • VulnCheck coordinator

References

Problem Types

  • Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE