{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-49982/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-11T18:24:22.459Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-49982","@id":"https://www.cve.org/CVERecord?id=CVE-2026-49982","description":"tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a"},"products":[{"@id":"cpe:2.3:a:raszi:node-tmp:0.2.6:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:raszi:node-tmp:0.2.6:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-11T18:24:22.459Z"}]}