CVE-2026-3087

· NIST NVD ↗

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

HIGH
CVSS severity
7.5
CVSS base score
2026-04-27
Published

CWE codes

CWE-22

Affected products

python:pythonmicrosoft:windows

Sources