CVE-2026-3087
⚪ Do wiadomości
Ekstrakcja archiwum ZIP z absolutną ścieżką w Windows może prowadzić do wydobycia plików poza docelowy katalog.
CVSS
0.0
EPSS
0.1%
Exploit
none
Vendor
Opis źródłowy (NVD)
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 0.0 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-04-27 21:16:42 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-29 16:16:24 UTC |
Referencje
- https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840 (cna@python.org)
- https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd (cna@python.org)
- https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4 (cna@python.org)
- https://github.com/python/cpython/issues/146581 (cna@python.org)
- https://github.com/python/cpython/pull/146591 (cna@python.org)
- https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/ (cna@python.org)
- http://www.openwall.com/lists/oss-security/2026/04/28/9 (af854a3a-2127-422b-91ae-364da2661108)