A crafted tar archive can now turn a routine Node.js extraction into a pathway for reading and writing arbitrary files outside the intended extraction directory — a high‑severity flaw in the widely used node‑tar package tracked as CVE‑2026‑26960 that was fixed in node‑tar 7.5.8.
Background...
