cvedb.io
CVE-2026-30973
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-03-10T18:18:56.063 · Last modified 2026-06-17T10:33:15.117

Summary

Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.

Affected products

appium — appium\/support

Does this affect you?

Add your gear to cvedb and we'll alert you only when appium ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.