CVE Catalog

CVE-2026-56876

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile - higher than 24% of all known CVEs

Summary

The extract-zip library does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip extracts the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

Risk Assessment

The risk involves potential unauthorized access to sensitive system files or writing malicious data outside the target directory, which could compromise system confidentiality, integrity, or availability.

Recommendation

It is recommended to immediately update the extract-zip library to the latest version that includes a fix for symlink validation. If an update is not available, temporarily stop using extract-zip to extract archives from untrusted sources.

Original NVD description (English source)

extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS