Product
A critical vulnerability (CVE-2026-53486) in the `@xhmikosr/decompress` and unmaintained `decompress` npm packages allows attackers to craft malicious archives that, upon extraction, can write or read files outside the target directory, expose arbitrary file contents, or create setuid/setgid files leading to arbitrary file system modification, information disclosure, and potential privilege escalation.