{"vulnerability": "cve-2026-4998", "sightings": [{"uuid": "05f5dd45-1e79-4049-9df0-e694b966acfe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4998", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mi4wy26n572y", "content": "", "creation_timestamp": "2026-03-28T15:25:59.061513Z"}, {"uuid": "0861d0db-a1f6-4f8c-bd99-3b02d83677df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4998", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mi55duqcvg2g", "content": "", "creation_timestamp": "2026-03-28T17:19:58.529615Z"}, {"uuid": "1073948f-4d5d-4cb2-b3cc-aa0a129da6a8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4998", "type": "published-proof-of-concept", "source": "Telegram/09Z2uSywZ0eaMBc_jzeKEvNTJqqyhgJAVS7JG0bu28jYxi8", "content": "", "creation_timestamp": "2026-03-28T15:15:27.000000Z"}, {"uuid": "996dc09a-9e44-4bc7-b0b9-ff9b10286a33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49982", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mnzslz7nzj25", "content": "\ud83d\udfe0 CVE-2026-49982 - High (8.2)\n\ntmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guar...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-49982/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T18:00:52.083143Z"}, {"uuid": "a518fa43-38a0-4c9f-a38c-b51fe48bf6fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49982", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3modmgo34nk2s", "content": "\ud83d\udccc CVE-2026-49982 - tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contai... https://www.cyberhub.blog/cves/CVE-2026-49982", "creation_timestamp": "2026-06-15T15:37:06.567641Z"}, {"uuid": "a10e5ae7-a715-4ce7-abd3-c70d43252421", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49982", "type": "seen", "source": "https://gist.github.com/alon710/0bdb094f8b35593b7efeef728ecec669", "content": "# CVE-2026-49982: CVE-2026-49982: Path Traversal Bypass via Type Confusion in node-tmp\n\n&gt; **CVSS Score:** 8.2\n&gt; **Published:** 2026-06-15\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49982\n\n## Summary\nA high-severity type-confusion path traversal vulnerability (CVE-2026-49982 / GHSA-7c78-jf6q-g5cm) exists in the node-tmp package version 0.2.6. The vulnerability allows remote attackers to bypass path validation checks by passing non-string data types such as Arrays or duck-typed Objects into options like prefix, postfix, or template. Because the library relies on the .includes() method without verifying the input type, standard array checks evaluate differently than string checks. Downstream string coercion subsequently restores the traversal sequence, allowing files and directories to be created outside the designated temporary directory root. This can result in arbitrary file writes and potential local file execution depending on application context.\n\n## TL;DR\nA type-confusion vulnerability in node-tmp version 0.2.6 allows path traversal checks to be bypassed using non-string options (such as arrays). This results in arbitrary file and directory creation outside the temporary workspace, potentially leading to unauthorized writes and host compromise.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-20, CWE-22\n- **Attack Vector**: Network\n- **CVSS**: 8.2 (High)\n- **EPSS Score**: 0.00447\n- **Impact**: Integrity (High), Availability (Low)\n- **Exploit Status**: Proof of Concept (PoC) available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Node.js applications running node-tmp version 0.2.6\n- **tmp**: = 0.2.6 (Fixed in: `0.2.7`)\n\n## Mitigation\n\n- Upgrade node-tmp dependency to version 0.2.7 or higher\n- Enforce strict string type validation on all user inputs passed to file-creation APIs\n- Sanitize nested parameters from parsed JSON payloads or bracketed query string structures\n- Ensure host processes run with the least privilege necessary to minimize filesystem access\n\n**Remediation Steps:**\n1. Run 'npm install tmp@0.2.7' to update the local package dependencies.\n2. Validate the update by checking the package-lock.json or yarn.lock file for version 0.2.7.\n3. Audit application route handlers for any references to tmp.file, tmp.dir, or tmp.tmpName.\n4. Deploy localized input sanitation logic to verify that prefix, postfix, and template options are strict string types.\n\n## References\n\n- [GitHub Security Advisory Details](https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm)\n- [NVD Vulnerability Listing](https://nvd.nist.gov/vuln/detail/CVE-2026-49982)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49982) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T17:11:14.000000Z"}, {"uuid": "9e11179f-b448-4842-a2c8-756348a03c8e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49982", "type": "published-proof-of-concept", "source": "https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm", "content": "", "creation_timestamp": "2026-05-27T15:48:27.000000Z"}, {"uuid": "0f1b55e3-7997-48fa-b2d8-bded33edf556", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49984", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mp7wmr6lqu2c", "content": "CVE-2026-49984 - Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\\..\\` bypasses the `..` guard)\nCVE ID : CVE-2026-49984\n \n Published : June 26, 2026, 8:55 p.m. | 49\u00a0minutes ago\n \n Descr...", "creation_timestamp": "2026-06-26T21:54:01.143420Z"}, {"uuid": "b6517141-cde1-4bc6-a874-b910d4417e4b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49984", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mpbwpywek52m", "content": "\ud83d\udfe0 CVE-2026-49984 - High (7.7)\n\nKestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the lo...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-49984/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-27T17:01:10.784284Z"}, {"uuid": "401cf963-99cb-4812-8df2-e4ce4af35464", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49983", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpgnghpgio2n", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49983 \u0432 Deno: \u0443\u0433\u0440\u043e\u0437\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/E0173E87-133D-4D57-AE43-88246DFBC106", "creation_timestamp": "2026-06-29T13:58:04.249376Z"}, {"uuid": "91fe9531-304c-4c3f-b733-81ef8a7dc702", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49984", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mph7b5jj2w2o", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49984 \u0432 Kestra: \u0443\u0433\u0440\u043e\u0437\u044b \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/785221D3-8475-46E9-B85D-8063FA40B9AD", "creation_timestamp": "2026-06-29T19:17:13.467505Z"}, {"uuid": "ee78f8fa-a397-4f18-8310-8f5614e7c26a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49980", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mphw63pkjn2e", "content": "\ud83d\udccc CVE-2026-49980 - Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --r... https://www.cyberhub.blog/cves/CVE-2026-49980", "creation_timestamp": "2026-06-30T02:07:07.398394Z"}, {"uuid": "f18681de-4411-4332-b946-d69bb800366c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49984", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mplmfdagoy2o", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49984 \u0432 Kestra: \u0443\u0433\u0440\u043e\u0437\u044b \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/AF3C7B1E-D9A9-4D34-B924-C4CE6748BF24", "creation_timestamp": "2026-07-01T13:22:51.397830Z"}, {"uuid": "b5c2d651-60dd-4bf2-b166-43ec2d0359df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49989", "type": "published-proof-of-concept", "source": "https://github.com/crate/crate/security/advisories/GHSA-2xv8-gjwh-fv8p", "content": "", "creation_timestamp": "2026-07-01T20:35:07.371743Z"}, {"uuid": "539f7c93-54cd-40b9-a683-aabdfed64ed5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49987", "type": "published-proof-of-concept", "source": "https://github.com/yamadashy/repomix/security/advisories/GHSA-9mm9-rqhj-j5mx", "content": "", "creation_timestamp": "2026-07-01T20:35:09.517613Z"}, {"uuid": "939fdd09-3c2a-41e7-b363-9da35b5a9e58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49986", "type": "published-proof-of-concept", "source": "https://github.com/cdeust/Cortex/security/advisories/GHSA-gvpp-v77h-5w8g", "content": "", "creation_timestamp": "2026-07-01T20:35:11.679535Z"}, {"uuid": "b4205b63-3ac1-4b68-95e5-f6595ead29c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49980", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mps7iz5uow23", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49980 \u0432 Rclone: \u0443\u0433\u0440\u043e\u0437\u044b, \u043f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/1B6CE41D-A8D0-4D6B-894F-6B2211C56CB8", "creation_timestamp": "2026-07-04T04:20:54.146464Z"}, {"uuid": "c014f0c4-4164-44ed-a9a8-1a5cf6c1be80", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49981", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqnik3mtql27", "content": "CVE-2026-49981 - Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`\nCVE ID : CVE-2026-49981\n \n Published : July 14, 2026, 10:17 p.m. | 1\u00a0hour, 14\u00a0minutes ago\n \n Description : Twig is a template language f...", "creation_timestamp": "2026-07-15T00:44:27.048136Z"}, {"uuid": "b2d48230-66f0-4706-a478-fba59ca8f03b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49987", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqpmqxdh3a22", "content": "CVE-2026-49987 - Repomix: Command Injection (RCE) via `--remote-branch` Argument Injection\nCVE ID : CVE-2026-49987\n \n Published : July 15, 2026, 7:17 p.m. | 17\u00a0minutes ago\n \n Description : Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/c...", "creation_timestamp": "2026-07-15T21:05:14.149196Z"}, {"uuid": "4b9dfa83-27a8-4736-98a1-5d9a1eb49c39", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49988", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqpo5tfq562s", "content": "CVE-2026-49988 - Repomix: attach_packed_output can bypass file-read secret scanning for supported local files\nCVE ID : CVE-2026-49988\n \n Published : July 15, 2026, 7:17 p.m. | 17\u00a0minutes ago\n \n Description : Repomix is a tool that packs repositories into AI-friendly files. Pri...", "creation_timestamp": "2026-07-15T21:30:17.722704Z"}]}