MEDIUM
Ddev
CVE published 2026-04-22
CVE-2026-32885
CVE-2026-32885 is a DDEV archive-extraction vulnerability affecting versions prior to 1.25.2. The issue is in the Untar() and Unzip() code paths, which extracted remote archives without validating paths first. That creates a path traversal risk and can let crafted archive contents write outside the intended extraction directory. DDEV 1.25.2 is the fixed release.