CVE-2026-3087

MEDIUM EPSS 40.8%
Published Apr 27, 20262mo ago · Modified Jun 17, 20261w ago
6.0 CVSS 4.0
Medium
Find Similar
Published Apr 27, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVSS Details

Base Score
6.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
40.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 10

VendorProductVersionRange
pythonpython* ≤3.14.4
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
microsoftwindows*any

References 11

  • openwall.com http://www.openwall.com/lists/oss-security/2026/04/28/9
    Mailing ListThird Party Advisory
  • github.com https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
    Patch
  • github.com https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
    Patch
  • github.com https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
    Patch
  • github.com https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
    Patch
  • github.com https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
    Patch
  • github.com https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
    Patch
  • github.com https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
    Patch
  • github.com https://github.com/python/cpython/issues/146581
    ExploitIssue TrackingPatchVendor Advisory
  • github.com https://github.com/python/cpython/pull/146591
    Issue TrackingPatch
  • mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
    Mailing ListVendor Advisory

Remediation

  • github.com https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
    Patch
  • github.com https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
    Patch
  • github.com https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
    Patch
  • github.com https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
    Patch
  • github.com https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
    Patch
  • github.com https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
    Patch
  • github.com https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
    Patch
  • github.com https://github.com/python/cpython/issues/146581
    ExploitIssue TrackingPatchVendor Advisory
  • github.com https://github.com/python/cpython/pull/146591
    Issue TrackingPatch