Skip to main content

extract-zip EUVDEUVD-2026-39812

| CVE-2026-56876 HIGH
Path Traversal (CWE-22)
2026-06-26 cisa-cg GHSA-jmr9-qjv8-65gv
8.6
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Remote attacker-supplied archive (AV:N) needs no privileges (PR:N) but requires the app to extract it (UI:R); arbitrary read and write give C:H/I:H, no availability impact, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 26, 2026 - 18:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 18:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 26, 2026 - 18:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Analysis Generated
Jun 26, 2026 - 17:50 vuln.today

DescriptionCVE.org

extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

AnalysisAI

Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft zip with traversal symlink entry
Delivery
Deliver archive to extraction endpoint
Exploit
extract-zip writes symlink unvalidated
Execution
App follows link outside root
Impact
Read or overwrite arbitrary files

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application use extract-zip to unpack an attacker-supplied zip archive containing a symbolic-link entry with a relative traversal target (the description explicitly names a symlink path like '../../../../etc/passwd'); no authentication or special privileges are needed (PR:N), but passive interaction is required (UI:P) in that a victim system must actually ingest and extract the malicious archive. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N) indicates a network-reachable, low-complexity flaw requiring no privileges but passive operator interaction (the victim application must process the malicious archive), with high confidentiality and integrity impact and no availability impact - consistent with the 8.6 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a zip archive containing a symlink entry whose target is a relative traversal path (e.g. '../../../../etc/passwd' or a path into the application's config/credential directory) and delivers it to a service that uses extract-zip to unpack uploads. …
Remediation No vendor-released patched version was identified in the available data, so an exact fixed release cannot be cited; consult the GitHub Security Advisory GHSA-x7jf-2287-qcpf (https://github.com/ziad626/extract-zip-security-research/security/advisories/GHSA-x7jf-2287-qcpf) and the CISA CSAF advisory (https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-177-01.json) for an upgrade target and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications using extract-zip library across production and staging environments; classify by exposure level based on whether they process untrusted archives from external users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy