CVE-2020-36561

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2008-0888

The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.