QwikSec

Security Database

CVE

CWE

Training

CVE-2026-3087

Published: Apr 27, 2026

Modified: Jun 4, 2026

PUBLISHED

Description

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.14.5rc1` affected `3.15.0a1 - < 3.15.0b1`

Weaknesses (CWE)

References

https://github.com/python/cpython/pull/146591

patch

https://github.com/python/cpython/issues/146581

issue-tracking

https://mail.python.org/archives/list/[email protected]/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/

vendor-advisory

https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840

patch

https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd

patch

https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4

patch

https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c

patch

https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb

patch

https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94

patch

https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.