CVE-2026-3087
high
CVSS v3
7.5
CVSS v4 NEW
6.0
VIR risk
7.5
Description
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Predictions
Exploit likelihood
83%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
References
- https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
- https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
- https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
- https://github.com/python/cpython/issues/146581
- https://github.com/python/cpython/pull/146591
- https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
- http://www.openwall.com/lists/oss-security/2026/04/28/9
- https://security-tracker.debian.org/tracker/CVE-2026-3087
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.