CVE-2026-39246
The CVE affects the npm package decompress prior to version 4.2.2. During archive extraction, entries of type symlink pass the archive’s x.linkname directly to fs.symlink() without validation, and the existing preventWritingThroughSymlink check only applies to files, not symlinks. A crafted archi...