CVE-2026-3087 | THREATINT

Description

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

PUBLISHED Reserved 2026-02-23 | Published 2026-04-27 | Updated 2026-04-29 | Assigner PSF

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

Product status

Default status

unaffected

Any version before 3.15.0

affected

Credits

Serhiy Storchaka (https://github.com/serhiy-storchaka) remediation developer

Seth Larson (https://github.com/sethmlarson) coordinator

GGAutomaton (https://github.com/GGAutomaton) reporter

References

www.openwall.com/lists/oss-security/2026/04/28/9

github.com/python/cpython/pull/146591 patch

github.com/python/cpython/issues/146581 issue-tracking

mail.python.org/.../thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/ vendor-advisory

github.com/...ommit/ab5ef98af693bded74a738570e81ea70abef2840 patch

github.com/...ommit/b01e594fbe754a960212f908d047294e880b52fd patch

github.com/...ommit/fc829e88753858c8ac669594bf0093f44948c0f4 patch

cve.org (CVE-2026-3087)

nvd.nist.gov (CVE-2026-3087)

Download JSON

help @ threatint.eu