CVE-2026-3087

UNKNOWN 0.0

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CWE	CWE-22
Vendor	python software foundation
Product	cpython
Published	Apr 27, 2026
Last Updated	Apr 27, 2026

Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Software Foundation / CPython

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/python/cpython/pull/146591 github.com: https://github.com/python/cpython/issues/146581 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/

Credits

Serhiy Storchaka (https://github.com/serhiy-storchaka) Seth Larson (https://github.com/sethmlarson) 🔍 GGAutomaton (https://github.com/GGAutomaton)