๐Ÿ” CVE Alert

CVE-2026-3087

UNKNOWN 0.0

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CWE CWE-22
Vendor python software foundation
Product cpython
Published Apr 27, 2026
Last Updated Jun 10, 2026
Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Python Software Foundation / CPython
0 < 3.13.14 3.14.0a1 < 3.14.5rc1 3.15.0a1 < 3.15.0b1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/python/cpython/pull/146591 github.com: https://github.com/python/cpython/issues/146581 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/ github.com: https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840 github.com: https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd github.com: https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4 github.com: https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c github.com: https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb github.com: https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94 github.com: https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/28/9

Credits

Serhiy Storchaka (https://github.com/serhiy-storchaka) Seth Larson (https://github.com/sethmlarson) ๐Ÿ” GGAutomaton (https://github.com/GGAutomaton)