PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3087 Python Software Foundation CVE debrief

CVE-2026-3087 is a medium-severity vulnerability affecting Python's shutil.unpack_archive() function. The vulnerability occurs when the function is given a ZIP archive with an absolute Windows path containing a drive (C:). This allows the archive to be extracted outside the target directory, which is different from other operating systems. Only Windows is affected by this vulnerability.

Vendor
Python Software Foundation
Product
CPython
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-06-05
Advisory published
2026-04-27
Advisory updated
2026-06-05

Who should care

Developers and users of Python on Windows systems should be aware of this vulnerability, as it could potentially lead to unintended file extraction outside of the intended directory.

Technical summary

The vulnerability is caused by the shutil.unpack_archive() function not properly handling absolute Windows paths in ZIP archives. This could allow an attacker to craft a malicious archive that extracts files to an unintended location.

Defensive priority

Medium

Recommended defensive actions

  • Apply patches from the Python repository (see resourceLinkAnnotations: ref-4, ref-5, ref-6, ref-7, ref-8, ref-9, ref-10)
  • Use alternative archive extraction methods that handle absolute paths correctly
  • Validate and sanitize archive paths before extraction

Evidence notes

The vulnerability was reported and patched by the Python developers. Multiple patches were applied to fix the issue (see resourceLinkAnnotations: ref-4, ref-5, ref-6, ref-7, ref-8, ref-9, ref-10).

Official resources

public