VYPR
Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Mar 2, 2026

Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix

CVE-2026-28208

Description

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.github.junrar:junrarMaven
< 7.5.87.5.8

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.