GHSA-gf2w-jqmq-fcm8 · Severity: low — In the Tarfile.extract() function, the filter parameter is not passed properly when extracting...
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
Conclusion & alert: CVE-2026-4360 is rated Low Risk (12.9/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.24%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-09 | 0.30% | 0.24% | -0.07% |
| 2 | 2026-07-01 | — | 0.30% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.0 | 4.0 | LOW |
|
— | — | [email protected] |
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
GHSA-gf2w-jqmq-fcm8 · Severity: low — In the Tarfile.extract() function, the filter parameter is not passed properly when extracting...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2026-4360 unimportant priority: Debian including 7 source packages (jython, pypy3, …), 18 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10, open 8. | https://security-tracker.debian.org/tracker/CVE-2026-4360 |
suse
|
low | CVE-2026-4360 severity low: SUSE including 7 source package names (python, python-32bit, …), 22 product×package rows across 7 product lines (SUSE Linux Enterprise Module for Package Hub 15 SP7, SUSE Linux Enterprise Server 12 SP5-LTSS, … (7 product lines)): Known Not Affected 22. | https://www.suse.com/security/cve/CVE-2026-4360/ |
ubuntu
|
medium | CVE-2026-4360 medium priority: Ubuntu including 12 source packages (python2.7, python3.10, …), 72 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 41, needs-triage 31. | https://ubuntu.com/security/CVE-2026-4360 |