CVE-2026-10732 affects all versions of the decompress package and allows arbitrary file write during ZIP archive extraction. The vulnerability arises when a specially crafted ZIP archive contains two entries with the same path: a symlink followed by a regular file. The decompress package processes these entries in a way that the second file's content is written through the symlink to an arbitrary location outside the extraction directory. This behavior bypasses existing protections against path traversal and symlink attacks, including the preventWritingThroughSymlink mechanism introduced to fix CVE-2020-12265. The vulnerability can be exploited by an attacker providing a malicious ZIP archive, potentially leading to remote code execution on the host system. There is no vendor advisory or patch information available at this time.

An attacker can write arbitrary files to locations outside the intended extraction directory by exploiting the symlink and file entry ordering in a ZIP archive. This can lead to overwriting critical files or placing malicious files on the host filesystem. The vulnerability potentially enables remote code execution if the attacker writes executable code to a location that is later executed by the system or an application. The CVSS 4.0 score of 6.1 reflects a medium severity with network attack vector, low complexity, and partial user interaction required.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid extracting ZIP archives from untrusted sources with the decompress package. Consider using alternative extraction tools that properly handle symlinks and path traversal protections. Monitor official decompress package repositories and security advisories for updates.