CVE-2026-44705 - High Severity Vulnerability
Vulnerable Library - tmp-0.2.5.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/.pnpm/tmp@0.2.5/node_modules/tmp/package.json
Dependency Hierarchy:
- @postgres.ai/ce-4.0.3.tgz (Root Library)
- cypress-14.5.4.tgz
- ❌ tmp-0.2.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
Step up your Open Source Security Game with Mend here
CVE-2026-44705 - High Severity Vulnerability
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/.pnpm/tmp@0.2.5/node_modules/tmp/package.json
Dependency Hierarchy:
Found in base branch: master
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
Step up your Open Source Security Game with Mend here