CVE-2026-22685
DevToys (desktop app) has a path traversal vulnerability in its extension installation for versions 2.0.0.0–2.0.8.x, where processing NUPKG archives does not validate file paths, allowing crafted entries like ../../…/target-file to write outside the intended extensions directory. This could overw...