Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qayb-9eug-23du
Vulnerability ID VCID-qayb-9eug-23du
Aliases CVE-2026-3087
Summary If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
System Score Found at
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2026-3087
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2026-3087
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2026-3087
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2026-3087
cvssv4 6 https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
ssvc Track https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
cvssv4 6 https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
ssvc Track https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
cvssv4 6 https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
ssvc Track https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
cvssv4 6 https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
ssvc Track https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
cvssv4 6 https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
ssvc Track https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
cvssv4 6 https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
ssvc Track https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
cvssv4 6 https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
ssvc Track https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
cvssv4 6 https://github.com/python/cpython/issues/146581
ssvc Track https://github.com/python/cpython/issues/146581
cvssv4 6 https://github.com/python/cpython/pull/146591
ssvc Track https://github.com/python/cpython/pull/146591
cvssv4 6 https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
ssvc Track https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-3087
146581 https://github.com/python/cpython/issues/146581
146591 https://github.com/python/cpython/pull/146591
65b255416ae217bf0e22085be3c1976cea18bd8c https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
8e13025747e1ca72e86d1f35637123f9c306f0cb https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
8ee6aff14054b37b53e47194a2fa313e98163c94 https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
ab5ef98af693bded74a738570e81ea70abef2840 https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
b01e594fbe754a960212f908d047294e880b52fd https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19 https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
fc829e88753858c8ac669594bf0093f44948c0f4 https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4 https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/issues/146581
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/issues/146581
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/python/cpython/pull/146591
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://github.com/python/cpython/pull/146591
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:38:08Z/ Found at https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
Exploit Prediction Scoring System (EPSS)
Percentile 0.35286
EPSS Score 0.0015
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:54:15.102556+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/3xxx/CVE-2026-3087.json 38.6.0