CVE-2026-39243 | Absolute decompress up to 4.2.1 Archive Extraction index.js fs.link x.linkname path traversal
A vulnerability identified as critical has been detected in Absolute decompress up to 4.2.1. Affected by this issue is the function fs.link of the file index.js of the component Archive Extraction. This manipulation of the argument x.linkname causes path traversal.
This vulnerability appears as CVE-2026-39243. The attack may be initiated remotely. There is no available exploit.