Vulnerability Details CVE-2026-28208
Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.4%
CVSS Severity
CVSS v3 Score 5.9
References
Products affected by CVE-2026-28208
-
cpe:2.3:a:junrar_project:junrar:-
-
cpe:2.3:a:junrar_project:junrar:0.6
-
cpe:2.3:a:junrar_project:junrar:0.7
-
cpe:2.3:a:junrar_project:junrar:1.0.0
-
cpe:2.3:a:junrar_project:junrar:1.0.1
-
cpe:2.3:a:junrar_project:junrar:2.0.0
-
cpe:2.3:a:junrar_project:junrar:3.0.0
-
cpe:2.3:a:junrar_project:junrar:3.1.0
-
cpe:2.3:a:junrar_project:junrar:3.1.1
-
cpe:2.3:a:junrar_project:junrar:4.0.0
-
cpe:2.3:a:junrar_project:junrar:5.0.0
-
cpe:2.3:a:junrar_project:junrar:6.0.0
-
cpe:2.3:a:junrar_project:junrar:6.0.1
-
cpe:2.3:a:junrar_project:junrar:7.0.0
-
cpe:2.3:a:junrar_project:junrar:7.1.0
-
cpe:2.3:a:junrar_project:junrar:7.2.0
-
cpe:2.3:a:junrar_project:junrar:7.3.0
-
cpe:2.3:a:junrar_project:junrar:7.4.0
-
cpe:2.3:a:junrar_project:junrar:7.4.1
-
cpe:2.3:a:junrar_project:junrar:7.5.0
-
cpe:2.3:a:junrar_project:junrar:7.5.1
-
cpe:2.3:a:junrar_project:junrar:7.5.2
-
cpe:2.3:a:junrar_project:junrar:7.5.3
-
cpe:2.3:a:junrar_project:junrar:7.5.4
-
cpe:2.3:a:junrar_project:junrar:7.5.5
-
cpe:2.3:a:junrar_project:junrar:7.5.6
-
cpe:2.3:a:junrar_project:junrar:7.5.7