Launchpad security advisory: Fix applied for unsafe tar file extraction vulnerability
Friday, June 19th, 2026We received a private report from a security researcher describing a vulnerability affecting Launchpad. The vulnerability involved the unsafe processing of tar files at build upload and custom upload. We investigated promptly and deployed a fix shortly after the report. The reporting party has confirmed the issue is no longer exploitable.
Following remediation, we completed additional review and monitoring. We found no evidence of malicious exploitation. No user action is required.
We are sharing this update as part of our ongoing commitment to transparency and security.
We thank splitline (@_splitline_) and the DEVCORE Research Team for privately reporting this issue.


