Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CVE-2026-3087

🗓️ 27 Apr 2026 20:46:43Reported by PSFType 
cve
 cve🔗 web.nvd.nist.gov👁 89 Views

CVE-2026-3087: shutil.unpack_archive() extracts outside target on Windows with absolute archive paths.

Related
Detection
Affected
Refs
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-3087
27 Apr 202620:46
attackerkb
Circl		CVE-2026-3087
28 Apr 202602:22
circl
CNNVD		CPython 路径遍历漏洞
27 Apr 202600:00
cnnvd
Cvelist		CVE-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
27 Apr 202620:46
cvelist
Debian CVE		CVE-2026-3087
27 Apr 202620:46
debiancve
EUVD		EUVD-2026-25922
27 Apr 202620:46
euvd
NVD		CVE-2026-3087
27 Apr 202621:16
nvd
OSV		BIT-LIBPYTHON-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
29 Apr 202611:42
osv
OSV		BIT-PYTHON-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
29 Apr 202611:50
osv
OSV		BIT-PYTHON-MIN-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
29 Apr 202611:50
osv
Rows per page
NVD
Node
pythonpythonRange3.14.4
OR
pythonpythonMatch3.15.0alpha1
OR
pythonpythonMatch3.15.0alpha2
OR
pythonpythonMatch3.15.0alpha3
OR
pythonpythonMatch3.15.0alpha4
OR
pythonpythonMatch3.15.0alpha5
OR
pythonpythonMatch3.15.0alpha6
OR
pythonpythonMatch3.15.0alpha7
OR
pythonpythonMatch3.15.0alpha8
AND
microsoftwindowsMatch-
[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "shutil"
    ],
    "product": "CPython",
    "repo": "https://github.com/python/cpython",
    "vendor": "Python Software Foundation",
    "versions": [
      {
        "version": "0",
        "lessThan": "3.13.14",
        "status": "affected",
        "versionType": "python"
      },
      {
        "version": "3.14.0a1",
        "lessThan": "3.14.5rc1",
        "status": "affected",
        "versionType": "python"
      },
      {
        "version": "3.15.0a1",
        "lessThan": "3.15.0b1",
        "status": "affected",
        "versionType": "python"
      }
    ]
  }
]
SourceLink
githubwww.github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd
githubwww.github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb
githubwww.github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4
githubwww.github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94
githubwww.github.com/python/cpython/pull/146591
mailwww.mail.python.org/archives/list/[email protected]/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
githubwww.github.com/python/cpython/issues/146581
githubwww.github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c
githubwww.github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840
githubwww.github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19
Rows per page

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jun 2026 10:43Current
5.2Medium risk
Vulners AI Score5.2
CVSS 3.17.5
CVSS 46
EPSS0.00531
SSVC
CWE-22
windowsabsolute archive pathszip archivesdirectory traversalvulnerability
89