Hi,

The following vulnerability was published for binwalk.

CVE-2026-7179[0]:
| A security vulnerability has been detected in OSPG binwalk up to
| 2.4.3. This vulnerability affects the function
| read_null_terminated_string of the file
| src/binwalk/plugins/winceextract.py of the component WinCE
| Extraction Plugin. Such manipulation of the argument self.file_name
| leads to path traversal. The attack can only be performed from a
| local environment. The exploit has been disclosed publicly and may
| be used. The project maintainer confirms this issue: "I accept the
| existence of the Path Traversal vulnerability. However, as stated in
| the Github link, it reached EOL and as a result no actions should be
| expected." The GitHub repository mentions, that "[u]sers and
| contributors should migrate to binwalk v3." This vulnerability only
| affects products that are no longer supported by the maintainer.

https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/binwalk_path_traversal.md

This sounds like binwalk shouldn't be included in forky?



If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-7179
https://www.cve.org/CVERecord?id=CVE-2026-7179

Please adjust the affected versions in the BTS as needed.