Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-43888— Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import

CVSS 8.7 · High EPSS 0.05% · P16

Possible ATT&CK Techniques 1AI

T1083 · File and Directory Discovery

Affected Version Matrix 1

VendorProductVersion RangeStatus
outlineoutline< 1.7.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43888

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import
Source: NVD (National Vulnerability Database)
Vulnerability Description
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Outline 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Outline是Outline开源的一个知识库。 Outline 1.7.0之前版本存在路径遍历漏洞,该漏洞源于ZipHelper.extract在计算提取路径时通过trimFileAndExt传递完整文件系统路径,当zip条目的嵌套路径足够长时,trimFileAndExt静默丢弃所有目录组件并返回裸文件名,导致文件在进程工作目录而非提取沙箱内打开,且转义文件在导入清理后持续存在。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
outlineoutline < 1.7.0 -

II. Public POCs for CVE-2026-43888

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43888

登录查看更多情报信息。

Same Patch Batch · outline · 2026-05-11 · 6 CVEs total

CVE-2026-438868.2 HIGHOutline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Ac
CVE-2026-438907.7 HIGHOutline: IDOR in subscriptions.create allows cross-tenant subscription on private document
CVE-2026-438877.3 HIGHOutline: Stored XSS via Comment Mentions
CVE-2026-438896.5 MEDIUMOutline: Unauthorized Document Publication via Mixed collectionId+documentId Share
CVE-2026-446955.8 MEDIUMOutline: Slack OAuth state can link a victim Outline account to an attacker Slack identity

IV. Related Vulnerabilities

Same product: outline
Same vendor: outline
Same weakness: CWE-22

V. Comments for CVE-2026-43888

No comments yet

Leave a comment