Home / Vulnerability Intelligence / CVE-2026-29064

CVE-2026-29064 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 9, 2026

Zarf - Path Traversal

Published: March 6, 2026Updated: March 9, 2026

Overview

Zarf 0.54.0 to < 0.73.1 contains a path traversal vulnerability caused by symlink creation during archive extraction, letting attackers read or write arbitrary files on the system processing the package, exploit requires crafted Zarf package.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 1.4%(Probability of exploitation in next 30 days)

Impact

Attackers can read or write arbitrary files on the system processing the package, potentially leading to data tampering or information disclosure.

Mitigation

Update to version 0.73.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-29064 - High (8.2) Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destina... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29064/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-29064
Severity: High
CVSS Score: 8.2
Type: path_traversal
Status: unconfirmed
EPSS: 1.4%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score

1.4%Probability of exploitation in the next 30 days