CVE-2026-33686: Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

March 25, 2026

A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.

References

github.com/advisories/GHSA-9ffq-6457-8958
github.com/code16/sharp
github.com/code16/sharp/pull/715
github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958
nvd.nist.gov/vuln/detail/CVE-2026-33686

Code Behaviors & Features

Detect and mitigate CVE-2026-33686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →