Is CVE-2026-49982 in the CISA KEV catalog?

No. CVE-2026-49982 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2026-49982?

CVE-2026-49982 has a CVSS v3 base score of 8.2 (HIGH).

What is the EPSS score for CVE-2026-49982?

CVE-2026-49982 has an EPSS score of 0.50% (39th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2026-49982

HIGH

8.2

CVSS v3

NVD

Description

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.

CWE-20Improper Input Validation CWE-22Path Traversal

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityNone

IntegrityHigh

AvailabilityLow

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Exploit Intelligence

0.50%probability of exploitation in 30 days

39thpercentile

Low risk: more likely to be exploited than 39% of all known CVEs.

References

https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-15.