CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-39246

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-09
decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.

⚡ Watch CVE-2026-39246

Get an email if CVE-2026-39246 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-39246

CVE.org record

Embed the live status

CVE-2026-39246 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-39246 status](https://www.csirts.com/badge/CVE-2026-39246)](https://www.csirts.com/cve/CVE-2026-39246)