PatchSiren cyber security CVE debrief

CVE-2026-44705 raszi CVE debrief

CVE-2026-44705 is a path traversal vulnerability in the tmp npm package, which allows attackers to create files outside the intended temporary directory. This HIGH severity vulnerability has a CVSS score of 7.7 and was published on 2026-06-11T17:16:33.853Z. The vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. The issue was fixed in version 0.2.6 of the tmp package.

Vendor: raszi
Product: node-tmp
CVSS: HIGH 7.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-13
Advisory published: 2026-06-11
Advisory updated: 2026-06-13

Who should care

Developers and administrators using the tmp npm package in their applications, especially those that handle user-controlled input, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process.

Defensive priority

HIGH

Recommended defensive actions

Update the tmp npm package to version 0.2.6 or later.
Ensure proper input sanitization for user-controlled data passed to tmp's file/directory creation functions.
Review and update affected applications to prevent exploitation.

Evidence notes

This vulnerability was published on 2026-06-11T17:16:33.853Z and modified on 2026-06-13T03:16:20.897Z. The CVSS score is 7.7, indicating a HIGH severity vulnerability.

Official resources

CVE-2026-44705 was published on 2026-06-11T17:16:33.853Z and modified on 2026-06-13T03:16:20.897Z.