VYPR
Medium severity6.5NVD Advisory· Published Apr 22, 2026· Updated May 11, 2026

CVE-2026-32885

CVE-2026-32885

Description

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar() and Unzip() functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/ddev/ddevGo
< 1.25.21.25.2

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.