VDB

CVE-2026-29064

CVE-2026-29064 PUBLISHED CVSS 8.199999809265137 HIGH

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.

EPSS 0.03% · 8.9th percentile

Risk Scores

CVSS v3.1
8.199999809265137
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score
0.03%
8.9th percentile

Affected Products

VendorProductVersions
zarf-devzarf>= 0.54.0, < 0.73.1, *
github.comzarf-dev/zarf/src/pkg/archive0.54.0, 0.54.0
lfprojectszarf0.54.0, 0.54.0

Timeline

  • Mar 6, 2026 CVE Published
  • Mar 6, 2026 PoC Published
  • Mar 7, 2026 EPSS Score
  • Mar 7, 2026 PoC Published
  • Mar 7, 2026 PoC Published
  • Mar 7, 2026 PoC Published
  • Mar 8, 2026 EPSS Score
  • Mar 9, 2026 EPSS Score
  • Mar 10, 2026 EPSS Score
  • Mar 12, 2026 EPSS Score
  • Mar 13, 2026 EPSS Score
  • Mar 14, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›