MET-2026-002

SharpCompress (CVE-2026-44788)

Bulletin ID	MET-2026-002
Date (published)	2026-05-11T00:00:00.000Z
Date (last updated)	2026-05-11T00:00:00.000Z
Severity	Informational

Description

On May 6th, 2026, a vulnerability was published on SharpCompress, a managed C# library for reading and writing common archive formats. The WriteToDirectory() and WriteToDirectoryAsync() extraction helpers do not normalize entry paths before creating directories, allowing a malicious archive to create directories outside the intended extraction root. Combined with TAR symbolic link entries, this can be chained into arbitrary file writes.

All versions of SharpCompress up to and including 0.47.4 are affected. No patched release is available as of this bulletin.

Affected Products/Services

Metaplay infrastructure and product are not affected by this vulnerability.

MetaplaySDK references SharpCompress in Metaplay.Cloud but does not call the vulnerable extraction APIs. The only call site, GeolocationExtractionUtil.ExtractFileByNameFromTarGz, walks a .tar.gz archive and copies a single named entry into a MemoryStream; nothing is ever written to the filesystem.
The archive consumed by this call site is downloaded from MaxMind over HTTPS. No untrusted-archive ingress path reaches the SDK's SharpCompress usage.

Impact

None.

Solution

As MetaplaySDK is not affected, no action is required. SharpCompress has not published a patched release, so no in-place package version override is available.

To silence the NU1902 build warning emitted by NuGet's security audit for this specific advisory, add a NuGetAuditSuppress entry to the project file. The patch has been tested to apply to MetaplaySDK versions 35 and 36.

MetaplaySDK/Backend/Cloud/Metaplay.Cloud.csproj

diff

    <PackageReference Include="SharpCompress" Version="0.40.0" />
+   <!-- Suppress the audit warning for CVE-2026-44788; the vulnerable
+        WriteToDirectory APIs are not called by MetaplaySDK. -->
+   <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-6c8g-7p36-r338" />

CVE and CVSS Information

CVE-2026-44788

References

GHSA-6c8g-7p36-r338

Contact Information

Security-related questions or concerns can be sent to security@metaplay.io.

Revision History

Date	Description
2026-05-11	Security Bulletin released

Getting Started

New Game

Existing Game

Sample Projects

Wordle

Orca

SDK Updates

Release Notes

Release 36

Release 35

Release 34

Release 33

Release 32

Release 31

Release 30

Release 29

Release 27

Release 25

Security Bulletins

Open Source Software Licenses

AI Assistants

MET-2026-002

Description

Affected Products/Services

Impact

Solution

CVE and CVSS Information

References

Contact Information

Revision History

New Game

Existing Game

Wordle

Orca

Release Notes

Release 36

Release 35

Release 34

Release 33

Release 32

Release 31

Release 30

Release 29

Release 27

Release 25

MET-2026-002

Description ​

Affected Products/Services ​

Impact ​

Solution ​

CVE and CVSS Information ​

References ​

Contact Information ​

Revision History ​

Description

Affected Products/Services

Impact

Solution

CVE and CVSS Information

References

Contact Information

Revision History