CVE-2026-11940
ADVISORY - dockerSummary
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory. This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.
EPSS Score: 0.00599 (0.442)
Common Weakness Enumeration (CWE)
Docker
CREATED
UPDATED
ADVISORY ID
CVE-2026-11940
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| python | dhi | - | - | >=0 | Not yet available |
| alpine/python-3.10 | apk | alpine | 3.23 | >=0 | Not yet available |
| alpine/python-3.11 | apk | alpine | 3.23 | >=0 | Not yet available |
| alpine/python-3.12 | apk | alpine | 3.23 | >=0 | Not yet available |
| alpine/python-3.13 | apk | alpine | 3.23 | >=0 | Not yet available |
| alpine/python-3.14 | apk | alpine | 3.23 | >=0 | Not yet available |
| debian/python-3.10 | deb | debian | 13 | >=0 | Not yet available |
| debian/python-3.11 | deb | debian | 13 | >=0 | Not yet available |
| debian/python-3.12 | deb | debian | 13 | >=0 | Not yet available |
| debian/python-3.13 | deb | debian | 13 | >=0 | Not yet available |
| debian/python-3.14 | deb | debian | 13 | >=0 | Not yet available |
Severity and metrics
No CVSS data available from this advisory.
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-11940
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-11940
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumBitnami
CREATED
UPDATED
ADVISORY ID
BIT-libpython-2026-11940
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
7.8highBitnami
CREATED
UPDATED
ADVISORY ID
BIT-python-2026-11940
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
7.8highBitnami
CREATED
UPDATED
ADVISORY ID
BIT-python-min-2026-11940
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-