Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN436
_____________________________________________________________________

DATE                : 28/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/
_____________________________________________________________________


[CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows
absolute paths in ZIPs

Seth Larson
27 avril 2026 20:48

There is a MEDIUM severity vulnerability affecting CPython.

If shutil.unpack_archive() is given a ZIP archive with an absolute
Windows path containing a drive (C:\\...) then the archive will be
extracted outside the target directory which is different than other
operating systems. Only Windows is affected by this vulnerability.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-3087
    https://github.com/python/cpython/pull/146591


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================