Path Traversal Vulnerability in Outline Collaboration Service
CVE-2026-43888

8.7HIGH

Key Information:

Vendor: Outline
Status: Outline
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43888?

The Outline Collaboration Service contains a path traversal vulnerability in its ZipHelper.extract functionality prior to version 1.7.0. This issue arises when the extraction of zip file contents results in file paths that exceed the maximum allowed length. As a result, the application fails to properly handle directory structures, leading to unintended file creation in the working directory instead of the designated extraction sandbox. This can potentially expose the system to various security risks, including unauthorized file access. The vulnerability was addressed in version 1.7.0 to prevent such occurrences.

Affected Version(s)

outline < 1.7.0

References

https://github.com/outline/outline/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43888 Data

JSON