CVE-2026-39245
The connected documents describe CVE-2026-39245 in the decompress package prior to 4.2.2, where a flawed path containment check uses String.indexOf without a path-separator boundary (realDestinationDir.indexOf(realOutputPath) !== 0), allowing directory traversal and arbitrary file writes adjacent...