Sebastian Gassner - Security Researcher - Exploit Intelligence Platform

CVE-2026-3087 WRITEUP HIGH WRITEUP

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVSS 7.5

View Code

CVE-2026-3087 WRITEUP HIGH WRITEUP

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVSS 7.5

View Code

CVE-2026-3087 WRITEUP HIGH WRITEUP

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVSS 7.5

View Code

CVE-2026-3087 WRITEUP HIGH WRITEUP

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVSS 7.5

View Code