7.5

CVE-2026-3087

Exploit

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PythonPython Version <= 3.14.4
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha1
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha2
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha3
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha4
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha5
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha6
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha7
   MicrosoftWindows Version-
PythonPython Version3.15.0 Updatealpha8
   MicrosoftWindows Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.405
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cna@python.org 6 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/python/cpython/issues/146581
Patch
Vendor Advisory
Exploit
Issue Tracking
https://github.com/python/cpython/pull/146591
Patch
Issue Tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/04/28/9
Third Party Advisory
Mailing List
https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
Patch
https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
Patch
https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
Patch
https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
Patch
https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
Patch
https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
Patch
https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
Patch