Two high-severity vulnerabilities have been identified in our Node.js dependencies. CVE-2026-26960 affects the tar package (v7.5.7), where an attacker-controlled archive can create a hardlink inside the extraction directory pointing to a file outside the extraction root, enabling arbitrary file read and write — this is fixed in v7.5.8 (CVSS: 7.1). CVE-2026-26996 affects the minimatch package (v10.1.2), which is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards, causing exponential backtracking with O(4^N) time complexity — this is fixed in v10.2.1 (CVSS: 7.5).
Two high-severity vulnerabilities have been identified in our Node.js dependencies. CVE-2026-26960 affects the tar package (v7.5.7), where an attacker-controlled archive can create a hardlink inside the extraction directory pointing to a file outside the extraction root, enabling arbitrary file read and write — this is fixed in v7.5.8 (CVSS: 7.1). CVE-2026-26996 affects the minimatch package (v10.1.2), which is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards, causing exponential backtracking with O(4^N) time complexity — this is fixed in v10.2.1 (CVSS: 7.5).