High severityNVD Advisory· Published Mar 30, 2022· Updated Feb 25, 2026

[20220301] - Core - Zip Slip within the Tar extractor

CVE-2022-23793

Description

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
joomla/archivePackagist	< 1.1.12	1.1.12
joomla/archivePackagist	>= 2.0.0, < 2.0.1	2.0.1

Affected products

Joomlaprojects/Joomla! CMSv5
Range: 3.0.0-3.10.6 & 4.0.0-4.1.0
Joomla! Project/Joomla/archivev5
Range: 1.0.0-1.1.11 & 2.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.htmlghsax_refsource_MISCvendor-advisoryWEB
github.com/advisories/GHSA-jm67-jh3g-cg3fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23793ghsaADVISORY
packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.htmlghsax_refsource_MISCWEB
github.com/FriendsOfPHP/security-advisories/blob/master/joomla/archive/CVE-2022-23793.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000