Unknown · Decompress · CVE-2026-10732
**Name of the Vulnerable Software and Affected Versions**
decompress (affected versions not specified)
**Description**
The software is susceptible to Arbitrary File Write via Archive Extraction, also known as Zip Slip. This occurs when extracting a ZIP archive containing two entries with the same path: a symlink to an arbitrary target and a regular file. Due to the microtask processing order, the system checks `readlink` for the second file before resolving the symlink for the first, allowing file content to be written through the symlink to a target location outside the output directory. This bypasses existing path traversal protections, including `preventWritingThroughSymlink`. An attacker can write arbitrary files to the host filesystem, which may lead to remote code execution by providing a specially crafted ZIP archive.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.