CVE-2026-41245 — Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Description

### Summary A path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. ### Example Given an extraction directory set to `/tmp/extract`, a crafted archive with an entry with the filename as `../extract_evil/file.txt` would be actually extracted to `/tmp/extract_evil/file.txt`. ### Details The `createDirectory()` and `createFile()` methods in`LocalFolderExtractor` validate extraction paths using a string prefix.

How to fix CVE-2026-41245

To remediate CVE-2026-41245, upgrade the affected package to a fixed version below.

—upgrade to 7.5.10 or later

Is CVE-2026-41245 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.5.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41245
PATCHgithub.com/junrar/junrar
WEBgithub.com/junrar/junrar/commit/d77e9a83eb721cd51f9c23d7869d0e6ad7f952d7
WEBgithub.com/junrar/junrar/releases/tag/v7.5.10