CVE-2026-29064

High CVSS: 8.2

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.

Vendor

Lfprojects

Product

Zarf

CWE

CWE-22

Yayın Tarihi

2026-03-06 17:16:34

Güncelleme

2026-03-11 00:28:49

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Zarf HIGH Lfprojects 2026

Referanslar

https://github.com/zarf-dev/zarf/releases/tag/v0.73.1 https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm

Benzer Kayıtlar

High

CVE-2026-34742

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does no…

Medium

CVE-2026-34237

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1,…

High

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby S…

Critical

CVE-2025-15031

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar a…

Medium

CVE-2026-29791

Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environmen…

Medium

CVE-2026-21864

Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed ke…