{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3087", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-02-23T23:14:46.433Z", "datePublished": "2026-04-27T20:46:43.201Z", "dateUpdated": "2026-04-28T05:07:42.331Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["shutil"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"status": "affected", "version": "0", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson (https://github.com/sethmlarson)"}, {"lang": "en", "type": "reporter", "value": "GGAutomaton (https://github.com/GGAutomaton)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."}], "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-27T20:50:34.895Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/146591"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/146581"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"}], "source": {"discovery": "UNKNOWN"}, "title": "shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs", "x_generator": {"engine": "Vulnogram 0.6.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/28/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-28T05:07:42.331Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."}], "id": "CVE-2026-3087", "lastModified": "2026-04-28T06:16:03.233", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-04-27T21:16:42.480", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/146581"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/146591"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/28/9"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@python.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CPython", "source": "cna", "vendor": "Python Software Foundation"}, "product": "cpython", "vendor": "python"}], "analysis": {"en": {"generated_at": "2026-04-28T12:50:37.996241+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest CPython release that incorporates the patch for this issue", "Replace calls to shutil.unpack_archive with a custom extraction routine that validates or sanitizes each archive entry, rejecting absolute Windows paths that begin with a drive letter or a root slash", "If an upgrade or replacement is not immediately possible, limit unpacking to a secured directory and explicitly check each path component before extraction to ensure it stays within the designated target"], "summary": {"action": "Apply Patch", "impact": "Directory traversal that allows extraction outside the intended target directory"}, "threat_synthesis": {"affected_systems": "All CPython releases that include the standard library function shutil.unpack_archive() are vulnerable on Windows. The flaw is specific to the Windows platform; other operating systems correctly enforce the target directory. Exact versions are not listed, so any CPython installation on Windows that calls unpack_archive to extract ZIP archives should be treated as affected until a patch is applied.", "description_and_impact": "shutil.unpack_archive() extracts the contents of a ZIP file into a target directory, but when the archive contains an absolute Windows path that starts with a drive letter, the function ignores the target directory and writes files wherever the path points. This behavior enables an attacker to overwrite or create files outside the intended extraction area, effectively a directory traversal vulnerability (CWE\u201122).", "risk_and_exploitability": "The CVSS score of 6 indicates medium severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires supply of a malicious ZIP file to code that calls unpack_archive, making the attack vector local or user\u2011controlled. An attacker could place files on the system, potentially overwriting existing files or writing malicious payloads to unintended locations."}}}}, "created": "2026-04-28T00:15:05.298038+00:00", "updated": "2026-04-28T13:00:15.232639+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}