CVE-2026-32885

· NIST NVD ↗

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.

MEDIUM
CVSS severity
6.5
CVSS base score
2026-04-22
Published

CWE codes

CWE-22

Affected products

ddev:ddev

Sources