CVE-2026-3087

UNKNOWN View on NVD ↗

Description

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

References

https://github.com/python/cpython/issues/146581
https://github.com/python/cpython/pull/146591
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
http://www.openwall.com/lists/oss-security/2026/04/28/9

Published: Apr 27, 2026 21:16 UTC Modified: Apr 28, 2026 06:16 UTC