CVE-2026-21436
MEDIUM EPSS 17.0%
Published Jan 1, 20266mo ago · Modified Jun 17, 20262w ago
5.8 CVSS 4.0
Published Jan 1, 2026 6mo ago
Last Modified Jun 17, 2026 2w ago
Description
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required High
User Interaction A
Scope X
Threat Intelligence
EPSS Exploit Probability
17.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-24
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| getsol | eopkg | * | <4.4.0 |
References 4
- github.com https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
- github.com https://github.com/getsolus/eopkg/pull/201
- github.com https://github.com/getsolus/eopkg/releases/tag/v4.4.0
- github.com https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m
Remediation
- github.com https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
- github.com https://github.com/getsolus/eopkg/pull/201
- github.com https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m