shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Details
CVSS v4
6.0
NVD published
2026-04-27 21:16:42
EPSS
<0.1% probability · 14.1th percentile — 2026-04-28
Affected versions
Not available in our cache.
Summary
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.