CVE-2026-43888HIGH 8.7EPSS p28.5%

CVE-2026-43888CVE-2026-43888

Description

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
EPSS0.37% probability of exploitation · percentile 28.5% · 2026-06-19T12:03:05Z
Published2026-05-11
Last modified2026-05-12

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/outline/outline/security/advisories/GHSA-hw32-2v7j-mgqc
  2. https://github.com/outline/outline/security/advisories/GHSA-hw32-2v7j-mgqc

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-10732
CVE
CVE-2026-3087
CVE
CVE-2026-10621
CVE
CVE-2025-0851
CVE
CVE-2025-66945
CVE
CVE-2026-7774
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.