Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rzy2-bwm9-n3hw
Vulnerability ID VCID-rzy2-bwm9-n3hw
Aliases CVE-2026-22870
GHSA-ffj4-jq7m-9g6v
Summary GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2026-22870
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2026-22870
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-22870
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-ffj4-jq7m-9g6v
cvssv4 7.1 https://github.com/DataDog/guarddog
generic_textual HIGH https://github.com/DataDog/guarddog
cvssv4 7.1 https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
generic_textual HIGH https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
ssvc Track https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
cvssv3.1_qr HIGH https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
cvssv4 7.1 https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
generic_textual HIGH https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
ssvc Track https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
cvssv4 7.1 https://nvd.nist.gov/vuln/detail/CVE-2026-22870
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-22870
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-22870
https://github.com/DataDog/guarddog
c3fb07b4838945f42497e78b7a02bcfb1e63969b https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
CVE-2026-22870 https://nvd.nist.gov/vuln/detail/CVE-2026-22870
GHSA-ffj4-jq7m-9g6v https://github.com/advisories/GHSA-ffj4-jq7m-9g6v
GHSA-ffj4-jq7m-9g6v https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/DataDog/guarddog
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T21:23:44Z/ Found at https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T21:23:44Z/ Found at https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-22870
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.11381
EPSS Score 0.00037
Published At June 12, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:52:45.195547+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/22xxx/CVE-2026-22870.json 38.6.0