Vulnerability in N/a

CVE-2026-39246

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.j…

Affected products

  • N/a — versions n/a

References