« List of all CVEs

CVE-2026-3087

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

Published: 4/27/2026 Last updated: 6/4/2026 Reserved: 2/23/2026

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CNA assigner: PSF (28c92f92-d60d-412d-b760-e73465c3df22) Requested by: n/a

Metrics

Version Score Severity Vector String
4.0 6 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Opam packages affected (7)

conf-python-2-7 conf-python-2-7-dev conf-python-3 conf-python-3-7 conf-python-3-dev py termbox

Products affected (2)

Product Vendor Version
CPython Python Software Foundation n/a
CPython Python Software Foundation 2013 Service Pack 1 (32-bit editions)

References (22)

Credits (6)