CVE-2026-3087

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVSS

No CVSS.

References

Link	Resource
https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
https://github.com/python/cpython/issues/146581
https://github.com/python/cpython/pull/146591
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
http://www.openwall.com/lists/oss-security/2026/04/28/9

Configurations

No configuration.

History

29 Apr 2026, 16:16

Type	Values Removed	Values Added
References		() https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840 - () https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd - () https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4 -

28 Apr 2026, 06:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/04/28/9 -

27 Apr 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-27 21:16

Updated : 2026-04-29 16:16

NVD link : CVE-2026-3087

Mitre link : CVE-2026-3087

CVE.ORG link : CVE-2026-3087

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-3087", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cna@python.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-27T21:16:42.480", "references": [{"url": "https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/issues/146581", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/pull/146591", "source": "cna@python.org"}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/", "source": "cna@python.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/28/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cna@python.org", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."}], "lastModified": "2026-04-29T16:16:24.020", "sourceIdentifier": "cna@python.org"}