{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "10.2.1"
              },
              {
                "introduced": "11.0.0"
              },
              {
                "fixed": "11.1.3"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "introduced": "bbaa8c6c31bab65fea6b8a85f12ffb4ead6845f7"
            },
            {
              "fixed": "742ab1a8fe0e49d1437069cabe394ff89d41ae01"
            },
            {
              "fixed": "921c957ca09437139599d86d5f4aa963f1b3fa82"
            },
            {
              "fixed": "281cefa00cd4275c10479bc5f1abba6b14dee8bd"
            },
            {
              "fixed": "60b5299402e72b0b53ca2e55222e9a1ccb44afae"
            },
            {
              "fixed": "9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89"
            },
            {
              "fixed": "aca5aac415dc04a6fae5200e51368cff436a09dd"
            }
          ],
          "repo": "https://github.com/xhmikosr/decompress",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-mp2f-45pm-3cg9"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-22",
      "CWE-59",
      "CWE-732"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53486.json"
  },
  "details": "The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.",
  "id": "CVE-2026-53486",
  "modified": "2026-07-17T03:41:48.111048178Z",
  "published": "2026-07-14T20:07:14.190Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53486.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53486"
    },
    {
      "type": "FIX",
      "url": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd"
    },
    {
      "type": "FIX",
      "url": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae"
    },
    {
      "type": "FIX",
      "url": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89"
    },
    {
      "type": "FIX",
      "url": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "decompress: Archive extraction can create files and links outside the target directory"
}