By weakness (CWE)
CWE-29: related vulnerabilities
CVEs classified under CWE-29. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
1 published vulnerability
- CVE-2026-10732MEDIUM 6.4
The decompress package contains a critical flaw that allows attackers to write files anywhere on a system by uploading a specially crafted ZIP archive. The vulnerability exploits a race condition in how the library processes ZIP entries: when a ZIP contains two entries with identical paths—first a symlink pointing to an arbitrary location, then a regular file—the library writes the file's contents through the symlink to a location outside the intended extraction folder. This bypasses protections added in previous fixes, potentially enabling remote code execution if an attacker can control ZIP uploads or extraction workflows.