๐Ÿ” CVE Alert

CVE-2026-44722

MEDIUM 6.2

pyzipper: Encryption bypass for small files encrypted with pyzipper

CVSS Score
6.2
EPSS Score
0.0%
EPSS Percentile
0th

pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-1 format and exposing the plaintext CRC32 checksum in the ZIP header and, for unseekable zip archives, in the datadescripter section, allowing an attacker who possesses the archive to brute-force candidate plaintexts for small or low-entropy files by comparing CRC32 values. This issue is fixed in version 0.4.0.

CWE CWE-480
Vendor danifus
Product pyzipper
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for danifus pyzipper

Be the first to know when new medium vulnerabilities affecting danifus pyzipper are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

danifus / pyzipper
< 0.4.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/danifus/pyzipper/security/advisories/GHSA-crqm-m339-7m2p github.com: https://github.com/danifus/pyzipper/commit/93ce88e7dfd1635443197dab3fb8d477cff579ae github.com: https://github.com/danifus/pyzipper/releases/tag/v0.4.0