No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Wed, 15 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | decompress: decompress: arbitrary symlink creation during archive extraction leads to information disclosure | |
| First Time appeared |
Redhat
Redhat hummingbird |
|
| Weaknesses | CWE-61 | |
| CPEs | cpe:/a:redhat:hummingbird:1 | |
| Vendors & Products |
Redhat
Redhat hummingbird |
|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Tue, 14 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Symlink Creation Allows Sensitive File Disclosure in decompress NPM Package |
Sun, 12 Jul 2026 07:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Symlink Creation Allows Sensitive File Disclosure in decompress NPM Package |
Fri, 10 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-59 | |
| Metrics |
cvssV3_1
|
Thu, 09 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kevva
Kevva decompress |
|
| Vendors & Products |
Kevva
Kevva decompress |
Thu, 09 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents. | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-10T17:27:46.481Z
Reserved: 2026-04-06T00:00:00.000Z
Link: CVE-2026-39246
Updated: 2026-07-10T17:10:18.349Z
No data.
OpenCVE Enrichment
Updated: 2026-07-14T15:15:04Z