diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 0ae657c0d6..223ede31c4 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -22,6 +22,7 @@
 "   2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925)
 "   2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
 "   2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
+"   2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
 "
 "	Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -611,6 +612,24 @@ fun! tar#Extract()
    let &report= repkeep
    return
   endif
+  if fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
+   call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+   let &report= repkeep
+   return
+  endif
+  if has("unix")
+   if fname =~ '^/'
+    call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+    let &report= repkeep
+    return
+   endif
+  else
+   if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
+    call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+    let &report= repkeep
+    return
+   endif
+  endif
 
   let extractcmd= s:WinPath(g:tar_extractcmd)
   let tarball = expand("%")
diff --git a/test/old/testdir/test_plugin_tar.vim b/test/old/testdir/test_plugin_tar.vim
index f6746fdd47..2152fe701e 100644
--- a/test/old/testdir/test_plugin_tar.vim
+++ b/test/old/testdir/test_plugin_tar.vim
@@ -88,6 +88,11 @@ func Test_tar_evil()
   call assert_equal("X.tar", @%)
   call assert_equal(1, b:leading_slash)
 
+  "## Press x to extract
+  :6
+  let mess = execute(":normal x", '')
+  call assert_match('(tar#Extract) Path Traversal Attack detected, not extracting!', mess)
+
   "## Check ENTER on file
   :6
   exe ":normal \<cr>"