Skip to main content

Extract Zip

1 CVEs product

Monthly

CVE-2026-56876 HIGH Monitor

Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.

Path Traversal Extract Zip
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
EPSS 0% CVSS 8.6
HIGH Monitor

Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.

Path Traversal Extract Zip
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy