Back to overview

CVE-2026-59732

MEDIUM
5.0
CVSS 3.1
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.

Metadata

CVE ID
CVE-2026-59732
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-06 15:34 UTC
Published
2026-07-14 21:36 UTC
Last updated
2026-07-14 21:36 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
rclone / rclone
Sources
cve.org  ·  NVD

Severity & Metrics

5.0 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
rclone rclone < 1.74.4
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.0 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
References (4)
Back to overview