CVE-2026-44942

MEDIUM

libzypp .repo files can have an optional path which can lead to path traversal attacks

Title source: cna
STIX 2.1

Description

A path traversal in handling the "path" component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content.

References (2)

Core 2
Core References

Scores

CVSS v3 6.5
EPSS 0.0033
EPSS Percentile 24.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-24
Status published
Products (2)
SUSE/libzypp < 16.22.19
SUSE/libzypp 17.0.0 - 17.38.13
Published Jun 18, 2026
Tracked Since Jun 18, 2026