CVE-2026-53486
The CVE affects the Node.js decompress package used for archive extraction. Before versions 10.2.1 and 11.1.3, crafted archives could read or write files outside the target directory due to: hardlink and symlink entries being created without proper target checks; path containment validated by a s...