CVE-2026-21436

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d	Patch
https://github.com/getsolus/eopkg/pull/201	Issue Tracking Patch
https://github.com/getsolus/eopkg/releases/tag/v4.4.0	Product Release Notes
https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*

History

04 Mar 2026, 21:33

Type	Values Removed	Values Added
Summary		(es) eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podría escapar del directorio establecido por `--destdir`. Esto requiere la instalación de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no se instalarían en la ruta especificada por `--destdir`, sino en una ubicación diferente en el host. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados.
First Time		Getsol Getsol eopkg
CPE		cpe:2.3:a:getsol:eopkg::::::python::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d -~~	() https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d - Patch
References	~~() https://github.com/getsolus/eopkg/pull/201 -~~	() https://github.com/getsolus/eopkg/pull/201 - Issue Tracking, Patch
References	~~() https://github.com/getsolus/eopkg/releases/tag/v4.4.0 -~~	() https://github.com/getsolus/eopkg/releases/tag/v4.4.0 - Product, Release Notes
References	~~() https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m -~~	() https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m - Patch, Vendor Advisory

01 Jan 2026, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-01 18:15

Updated : 2026-03-04 21:33

NVD link : CVE-2026-21436

Mitre link : CVE-2026-21436

CVE.ORG link : CVE-2026-21436

JSON object : View

Products Affected

getsol

eopkg

CWE

CWE-24

Path Traversal: '../filedir'

5.5 /10