PSF-2026-22

See a problem?

Import Source

https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-22.json

JSON Data

https://api.test.osv.dev/v1/vulns/PSF-2026-22

Aliases

CVE-2026-3087

Published

2026-04-27T20:46:43.201Z

Modified

2026-04-28T02:00:09.789598Z

Summary

[none]

Details

If shutil.unpack_archive() is given a ZIP archive with an absolute Windows path containing a drive (C:\\...) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Database specific

{
    "cwe_ids": []
}

References

https://github.com/python/cpython/pull/146591
https://github.com/python/cpython/issues/146581
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/

Affected packages

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Database specific

source

"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-22.json"