CVE-2026-3087

Vulnerability Description

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Vulnerability Details

Published Date

April 27, 2026

Last Modified

April 27, 2026

CWE ID

CWE-22

Source

NVD

External References

https://github.com/python/cpython/issues/146581
https://github.com/python/cpython/pull/146591
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/

CVE-2026-3087

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment