extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.
References
Configurations
No configuration.
History
26 Jun 2026, 18:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 18:17
Updated : 2026-06-30 20:17
NVD link : CVE-2026-56876
Mitre link : CVE-2026-56876
CVE.ORG link : CVE-2026-56876
JSON object : View
Products Affected
No product.
