CVE-2026-3087 | THREATINT

Description

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

PUBLISHED Reserved 2026-02-23 | Published 2026-04-27 | Updated 2026-06-10 | Assigner PSF

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

Product status

Default status

unaffected

Any version before 3.13.14

affected

3.14.0a1 (python) before 3.14.5rc1

affected

3.15.0a1 (python) before 3.15.0b1

affected

Credits

Serhiy Storchaka (https://github.com/serhiy-storchaka) remediation developer

Seth Larson (https://github.com/sethmlarson) coordinator

GGAutomaton (https://github.com/GGAutomaton) reporter

References

www.openwall.com/lists/oss-security/2026/04/28/9

github.com/python/cpython/pull/146591 patch

github.com/python/cpython/issues/146581 issue-tracking

mail.python.org/.../thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/ vendor-advisory

github.com/...ommit/ab5ef98af693bded74a738570e81ea70abef2840 patch

github.com/...ommit/b01e594fbe754a960212f908d047294e880b52fd patch

github.com/...ommit/fc829e88753858c8ac669594bf0093f44948c0f4 patch

github.com/...ommit/65b255416ae217bf0e22085be3c1976cea18bd8c patch

github.com/...ommit/8e13025747e1ca72e86d1f35637123f9c306f0cb patch

github.com/...ommit/8ee6aff14054b37b53e47194a2fa313e98163c94 patch

github.com/...ommit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19 patch

cve.org (CVE-2026-3087)

nvd.nist.gov (CVE-2026-3087)

Download JSON

help @ threatint.eu