Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-10732
PUBLISHED
More InfoOfficial Page
Assigner-snyk
Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730
View Known Exploited Vulnerability (KEV) details
Published At-05 Jun, 2026 | 05:00
Updated At-30 Jun, 2026 | 12:06
Rejected At-
▼CVE Numbering Authority (CNA)

All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. **Note:** This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).

Affected Products
Vendor
n/a
Product
decompress
Versions
Affected
  • From 0 before * (semver)
Problem Types
TypeCWE IDDescription
N/AN/AArbitrary File Write via Archive Extraction (Zip Slip)
Type: N/A
CWE ID: N/A
Description: Arbitrary File Write via Archive Extraction (Zip Slip)
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L/E:P
4.06.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L/E:P
Version: 4.0
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Alessandro Mizzaro
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-16415209
N/A
https://gist.github.com/Alemmi/409c3cc148c39522c6d6a8538b0e1f9e
N/A
https://github.com/kevva/decompress/pull/112
N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-16415209
Resource: N/A
Hyperlink: https://gist.github.com/Alemmi/409c3cc148c39522c6d6a8538b0e1f9e
Resource: N/A
Hyperlink: https://github.com/kevva/decompress/pull/112
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. decompress: Decompress: Arbitrary file write leading to remote code execution via crafted ZIP archive (Zip Slip)

A flaw was found in the decompress package. A remote attacker can exploit this by providing a crafted ZIP archive with two entries at the same path: a symlink to an arbitrary target and a regular file. Due to microtask processing order, the file content is written through the symlink before it is resolved, allowing writes outside the output directory. This Zip Slip bypasses path traversal protections including preventWritingThroughSymlink (CVE-2020-12265) and can lead to remote code execution.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Advanced Cluster Management for Kubernetes 2
CPEs
  • cpe:/a:redhat:acm:2
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Build of Keycloak
CPEs
  • cpe:/a:redhat:build_keycloak:
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Hardened Images
CPEs
  • cpe:/a:redhat:hummingbird:1
Default Status
affected
Problem Types
TypeCWE IDDescription
CWECWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-06-05 07:00:56
Made public.2026-06-05 05:00:02
Event: Reported to Red Hat.
Date: 2026-06-05 07:00:56
Event: Made public.
Date: 2026-06-05 05:00:02
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-10732
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2485376
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-10732.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-10732
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2485376
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-10732.json
Resource:
x_sadp-csaf-vex
Details not found