CPython shutil.unpack_archive ZIP Path Traversal on Windows
CVE-2026-3087 Published on April 27, 2026

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Vendor Advisory NVD

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-3087 has been classified to as a Directory traversal vulnerability or weakness.

Products Associated with CVE-2026-3087

Want to know whenever a new CVE is published for Cpython? stack.watch will email you.

Cpython

Affected Versions

Python Software Foundation CPython Version 0 is affected by CVE-2026-3087

CPython shutil.unpack_archive ZIP Path Traversal on WindowsCVE-2026-3087 Published on April 27, 2026

Weakness Type

What is a Directory traversal Vulnerability?

Products Associated with CVE-2026-3087

Affected Versions

CPython shutil.unpack_archive ZIP Path Traversal on Windows
CVE-2026-3087 Published on April 27, 2026