Directory Traversal Affecting prism package, versions <5.15.10-r2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.35% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-PRISM-17139789
  • published3 Jun 2026
  • disclosed11 Jun 2026

Introduced: 3 Jun 2026

CVE-2026-44705  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Wolfi prism to version 5.15.10-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream prism package and not the prism package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

CVSS Base Scores

version 3.1