CVE-2026-21436

Vulnerability Description

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

Vulnerability Details

Published Date

January 01, 2026

Last Modified

January 02, 2026

CWE ID

CWE-24

Source

NVD

External References

https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
https://github.com/getsolus/eopkg/pull/201
https://github.com/getsolus/eopkg/releases/tag/v4.4.0
https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m

CVE-2026-21436

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment