Vulnerability Description
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | <= 3.14.4 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef284Patch
- https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fPatch
- https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0fPatch
- https://github.com/python/cpython/issues/146581ExploitIssue TrackingPatch
- https://github.com/python/cpython/pull/146591Issue TrackingPatch
- https://mail.python.org/archives/list/[email protected]/thread/X6FXE5Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/04/28/9Mailing ListThird Party Advisory
FAQ
What is CVE-2026-3087?
CVE-2026-3087 is a vulnerability with a CVSS score of 7.5 (HIGH). If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than...
How severe is CVE-2026-3087?
CVE-2026-3087 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3087?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Microsoft Windows.