Archive-Extraction

A command injection vulnerability (CVE-2026-44604) exists in the `rpmuncompress` utility of RPM; when extracting specially crafted ZIP, 7z, or GEM archives, an attacker can inject shell commands via a malicious top-level folder name, leading to arbitrary code execution as the user running the extraction.

Detect-It-Easy versions prior to 3.21 are vulnerable to path traversal, allowing attackers to write arbitrary files to the filesystem and potentially achieve code execution by crafting malicious archive entries.