diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 74a5b38f78..944a2ed106 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -18,6 +18,7 @@
 "   2025 May 19 by Vim Project: restore working directory after read/write
 "   2025 Jul 13 by Vim Project: warn with path traversal attacks
 "   2025 Jul 16 by Vim Project: update minimum vim version
+"   2026 Feb 06 by Vim Project: consider 'nowrapscan' (#19333)
 "
 "	Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -226,7 +227,7 @@ fun! tar#Browse(tarfile)
 
   " remove tar: Removing leading '/' from member names
   " Note: the message could be localized
-  if search('^tar: ') > 0 || search(g:tar_leading_pat) > 0
+  if search('^tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
     call append(3,'" Note: Path Traversal Attack detected!')
     let b:leading_slash = 1
     " remove the message output
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 73083398b3..05d4da2be3 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52490,4 +52490,16 @@ Patch 9.1.2134
 Problem:  Terminal doesn't handle split UTF-8 sequence after ASCII.
 Solution: Only use one UTF-8 encoding state per vterm state (zeertzjq).
 
+Patch 9.1.2135
+Problem:  search() is used to check for the message from tar that
+          indicates leading slashes found in the tar archive, or to
+          check for the leading slashes themselves. However, if
+          'nowrapscan' is in effect these searches are limited to the
+          last line and don't find any results. This causes the warning
+          message from tar to be seen in the buffer, the "Path Traversal
+          Attack Detected" message to be omitted, and editing actions
+          can fail. This can be seen, for example, when editing
+          src/testdir/samples/evil.tar.
+Solution: Use the 'w' flag for search() (Kevin Goodsell)
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim
index ebf74d7daa..8d34ce11a7 100644
--- a/src/testdir/test_plugin_tar.vim
+++ b/src/testdir/test_plugin_tar.vim
@@ -126,3 +126,24 @@ def g:Test_tar_evil()
 
   bw!
 enddef
+
+def g:Test_tar_path_traversal_with_nowrapscan()
+  CopyFile("evil.tar")
+  defer delete("X.tar")
+  # Make sure we still find the tar warning (or leading slashes) even when
+  # wrapscan is off
+  set nowrapscan
+  e X.tar
+
+  ### Check header
+  assert_match('^" tar\.vim version v\d\+', getline(1))
+  assert_match('^" Browsing tarfile .*/X.tar', getline(2))
+  assert_match('^" Select a file with cursor and press ENTER, "x" to extract a file', getline(3))
+  assert_match('^" Note: Path Traversal Attack detected', getline(4))
+  assert_match('^$', getline(5))
+  assert_match('/etc/ax-pwn', getline(6))
+
+  assert_equal(1, b:leading_slash)
+
+  bw!
+enddef
diff --git a/src/version.c b/src/version.c
index a9967e2bb5..0adf730aff 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2135,
 /**/
     2134,
 /**/