By weakness (CWE)

CWE-29: related vulnerabilities

CVEs classified under CWE-29. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

1 published vulnerability

  • CVE-2026-10732MEDIUM 6.4

    The decompress package contains a critical flaw that allows attackers to write files anywhere on a system by uploading a specially crafted ZIP archive. The vulnerability exploits a race condition in how the library processes ZIP entries: when a ZIP contains two entries with identical paths—first a symlink pointing to an arbitrary location, then a regular file—the library writes the file's contents through the symlink to a location outside the intended extraction folder. This bypasses protections added in previous fixes, potentially enabling remote code execution if an attacker can control ZIP uploads or extraction workflows.