CVE Catalog

CVE-2026-56876

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

The vulnerability in the extract-zip library is due to the lack of validation of symbolic link targets when extracting zip archives. An attacker can supply a malicious zip file containing a symbolic link with a relative path, e.g., '../../../../etc/passwd', allowing it to point outside the extraction directory. Depending on how the library is used, arbitrary file read or write is possible.

Risk Assessment

The risk for the organization includes potential loss of data confidentiality (reading sensitive files) or system integrity compromise (writing to critical files). The attack could lead to privilege escalation or application takeover.

Recommendation

It is recommended to immediately update the extract-zip library to a version that validates symbolic link targets. If no update is available, temporarily stop using the library to extract archives from untrusted sources.

Original NVD description (English source)

extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS