In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user’s home directory.
The way to mitigate this flaw is to pay attention to the contents of the archive in ark before extracting, to ensure that there are no improper symlinks, and heed the file overwrite warnings.