CVE-2026-21437

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d	Patch
https://github.com/getsolus/eopkg/pull/201	Issue Tracking Patch
https://github.com/getsolus/eopkg/releases/tag/v4.4.0	Product Release Notes
https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*

History

04 Mar 2026, 21:31

Type	Values Removed	Values Added
Summary		(es) eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podría incluir archivos que no son rastreados por 'eopkg'. Esto requiere la instalación de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no serían mostrados por 'lseopkg' y herramientas relacionadas. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados.
CPE		cpe:2.3:a:getsol:eopkg::::::python::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Getsol Getsol eopkg
References	~~() https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d -~~	() https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d - Patch
References	~~() https://github.com/getsolus/eopkg/pull/201 -~~	() https://github.com/getsolus/eopkg/pull/201 - Issue Tracking, Patch
References	~~() https://github.com/getsolus/eopkg/releases/tag/v4.4.0 -~~	() https://github.com/getsolus/eopkg/releases/tag/v4.4.0 - Product, Release Notes
References	~~() https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6 -~~	() https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6 - Patch, Vendor Advisory

01 Jan 2026, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-01 18:15

Updated : 2026-03-04 21:31

NVD link : CVE-2026-21437

Mitre link : CVE-2026-21437

CVE.ORG link : CVE-2026-21437

JSON object : View

Products Affected

getsol

eopkg

CWE

CWE-353

Missing Support for Integrity Check

5.5 /10