CVE-2026-3087

Published: Apr 27, 2026 Last Modified: Apr 29, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,0

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart

Applicable Platforms

Technologies: AI/ML

Likelihood of Exploit: High

View CWE Details

http://www.openwall.com/lists/oss-security/2026/04/28/9

http://www.openwall.com/lists/oss-security/2026/04/28/9

https://github.com/python/cpython/commit/ab5ef98af693bded74…

https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef28…

https://github.com/python/cpython/commit/b01e594fbe754a9602…

https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52…

https://github.com/python/cpython/commit/fc829e88753858c8ac…

https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0…

https://github.com/python/cpython/issues/146581

https://github.com/python/cpython/issues/146581

https://github.com/python/cpython/pull/146591

https://github.com/python/cpython/pull/146591

https://mail.python.org/archives/list/security-announce@pyt…

https://mail.python.org/archives/list/[email protected]/thread/X6FXE…