CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-39243

mediumCVSS 5.5covered by 1 sourcefirst seen 2026-07-09
decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed directly to fs.link() without validation (index.js line 113). An attacker can craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. This creates a hardlink inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting the original file's content. Hardlinks are limited to files on the same filesystem and cannot target directories.

⚡ Watch CVE-2026-39243

Get an email if CVE-2026-39243 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-39243

CVE.org record

Embed the live status

CVE-2026-39243 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-39243 status](https://www.csirts.com/badge/CVE-2026-39243)](https://www.csirts.com/cve/CVE-2026-39243)