File Extraction Vulnerability in Python Affecting Windows Systems
CVE-2026-3087

6MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
27 April 2026

What is CVE-2026-3087?

A security vulnerability exists in Python's shutil.unpack_archive() function, where a ZIP archive containing an absolute Windows path can be extracted outside the designated target directory. This issue specifically affects Windows systems, allowing malicious ZIP files to compromise file system integrity by extracting files into unintended locations, thereby posing a potential risk for unauthorized access or data manipulation.

Affected Version(s)

CPython 0

References

https://github.com/python/cpython/pull/146591
patch
https://github.com/python/cpython/issues/146581
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Serhiy Storchaka (https://github.com/serhiy-storchaka)
Seth Larson (https://github.com/sethmlarson)
GGAutomaton (https://github.com/GGAutomaton)
.