CVE-2026-43888

Name of the Vulnerable Software and Affected Versions Outline versions prior to 1.7.0

Description An issue exists in the ZipHelper.extract function where the extraction path for each entry is computed by passing a full filesystem path through trimFileAndExt. This helper function uses path.basename when truncating. If a zip entry's nested path exceeds the MAX PATH LENGTH (4096 bytes), trimFileAndExt removes all directory components and returns only the filename. Consequently, fs.createWriteStream opens the file relative to the process working directory rather than within the intended extraction sandbox. Because cleanupExtractedData only removes the temporary extraction directory, the escaped file remains on the system after import cleanup.

Recommendations Update to version 1.7.0.