CVE-2026-3087

Sažetak

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Reference

https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
https://github.com/python/cpython/issues/146581
https://github.com/python/cpython/pull/146591
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
http://www.openwall.com/lists/oss-security/2026/04/28/9

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

29-04-2026 - 16:16

Objavljeno

27-04-2026 - 21:16