THE security vulnerability CVE-2026-53486 affects the @xhmikosr/decompress npm package, allowing crafted archives to write files outside the extraction directory, with a CVSS score of 9.1. The affected versions include < 10.2.1, >= 11.0.0, < 11.1.3, and <= 4.2.1. While there are no confirmed exploitations, the flaw poses significant risk, especially in environments where it runs as root. The vulnerability has been patched in versions 10.2.1 and 11.1.3, which implement stricter checks on link targets.
Users are advised to update immediately or use temporary workarounds, such as only extracting trusted archives and running as a non-root user.