CVE-2026-26960: node-tar extraction hardlink escape enables arbitrary file read/write
A newly published CVE for the npm `tar` package describes a High-severity hardlink escape during archive extraction; users should upgrade to `tar` 7.5.8.
VulnerabilityNode.jsDependency Security
20 Feb 2026