SCA: security update for tmp (GHSA-7c78-jf6q-g5cm)

high Tenable Self-Hosted Container Security Plugin ID 443215

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added
to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or
template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns
falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String
coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that
escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's
privileges. This affects any application that forwards untrusted request data (a common pattern is JSON
body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync,
tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability
is fixed in 0.2.7. (CVE-2026-49982)

Solution

Update the tmp library and its related packages to version 0.2.7 or later.

See Also

https://github.com/advisories/GHSA-7c78-jf6q-g5cm

Plugin Details

Severity: High

ID: 443215

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/15/2026

Updated: 6/15/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 52.03

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:P

CVSS Score Source: CVE-2026-49982

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/15/2026

Vulnerability Publication Date: 6/11/2026

Reference Information

CVE: CVE-2026-49982