CVE-2026-56876 | extract-zip does not validate symlink targets when extractin… | CVSS 8.1 HIGH

Description

extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

Metadata

CVE ID: CVE-2026-56876
State: PUBLISHED
Assigner: cisa-cg
Reserved: 2026-06-23 15:30 UTC
Published: 2026-06-26 16:44 UTC
Last updated: 2026-06-26 16:44 UTC
Primary CWE: CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product: max-mapper / extract-zip
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
max-mapper	extract-zip	—	0 < *

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-61	cna	CWE-61 UNIX Symbolic Link (Symlink) Following

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References (3)