{"vulnerability": "cve-2026-49982", "sightings": [{"uuid": "a518fa43-38a0-4c9f-a38c-b51fe48bf6fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49982", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3modmgo34nk2s", "content": "\ud83d\udccc CVE-2026-49982 - tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contai... https://www.cyberhub.blog/cves/CVE-2026-49982", "creation_timestamp": "2026-06-15T15:37:06.567641Z"}, {"uuid": "9e11179f-b448-4842-a2c8-756348a03c8e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49982", "type": "published-proof-of-concept", "source": "https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm", "content": "", "creation_timestamp": "2026-05-27T15:48:27.000000Z"}, {"uuid": "996dc09a-9e44-4bc7-b0b9-ff9b10286a33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49982", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mnzslz7nzj25", "content": "\ud83d\udfe0 CVE-2026-49982 - High (8.2)\n\ntmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guar...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-49982/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T18:00:52.083143Z"}, {"uuid": "a10e5ae7-a715-4ce7-abd3-c70d43252421", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49982", "type": "seen", "source": "https://gist.github.com/alon710/0bdb094f8b35593b7efeef728ecec669", "content": "# CVE-2026-49982: CVE-2026-49982: Path Traversal Bypass via Type Confusion in node-tmp\n\n> **CVSS Score:** 8.2\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49982\n\n## Summary\nA high-severity type-confusion path traversal vulnerability (CVE-2026-49982 / GHSA-7c78-jf6q-g5cm) exists in the node-tmp package version 0.2.6. The vulnerability allows remote attackers to bypass path validation checks by passing non-string data types such as Arrays or duck-typed Objects into options like prefix, postfix, or template. Because the library relies on the .includes() method without verifying the input type, standard array checks evaluate differently than string checks. Downstream string coercion subsequently restores the traversal sequence, allowing files and directories to be created outside the designated temporary directory root. This can result in arbitrary file writes and potential local file execution depending on application context.\n\n## TL;DR\nA type-confusion vulnerability in node-tmp version 0.2.6 allows path traversal checks to be bypassed using non-string options (such as arrays). This results in arbitrary file and directory creation outside the temporary workspace, potentially leading to unauthorized writes and host compromise.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-20, CWE-22\n- **Attack Vector**: Network\n- **CVSS**: 8.2 (High)\n- **EPSS Score**: 0.00447\n- **Impact**: Integrity (High), Availability (Low)\n- **Exploit Status**: Proof of Concept (PoC) available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Node.js applications running node-tmp version 0.2.6\n- **tmp**: = 0.2.6 (Fixed in: `0.2.7`)\n\n## Mitigation\n\n- Upgrade node-tmp dependency to version 0.2.7 or higher\n- Enforce strict string type validation on all user inputs passed to file-creation APIs\n- Sanitize nested parameters from parsed JSON payloads or bracketed query string structures\n- Ensure host processes run with the least privilege necessary to minimize filesystem access\n\n**Remediation Steps:**\n1. Run 'npm install tmp@0.2.7' to update the local package dependencies.\n2. Validate the update by checking the package-lock.json or yarn.lock file for version 0.2.7.\n3. Audit application route handlers for any references to tmp.file, tmp.dir, or tmp.tmpName.\n4. Deploy localized input sanitation logic to verify that prefix, postfix, and template options are strict string types.\n\n## References\n\n- [GitHub Security Advisory Details](https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm)\n- [NVD Vulnerability Listing](https://nvd.nist.gov/vuln/detail/CVE-2026-49982)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49982) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T17:11:14.000000Z"}]}