CVE-2026-21436 (GCVE-0-2026-21436)
Vulnerability from cvelistv5 – Published: 2026-01-01 18:03 – Updated: 2026-01-02 18:52
VLAI?
Title
eopkg has Path Traversal: '../filedir' vulnerability
Summary
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Severity ?
CWE
- CWE-24 - Path Traversal: '../filedir'
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-02T18:52:38.059266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T18:52:58.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "eopkg",
"vendor": "getsolus",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T18:03:17.320Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m"
},
{
"name": "https://github.com/getsolus/eopkg/pull/201",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsolus/eopkg/pull/201"
},
{
"name": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d"
},
{
"name": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0"
}
],
"source": {
"advisory": "GHSA-786v-47cq-qm6m",
"discovery": "UNKNOWN"
},
"title": "eopkg has Path Traversal: \u0027../filedir\u0027 vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21436",
"datePublished": "2026-01-01T18:03:17.320Z",
"dateReserved": "2025-12-29T03:00:29.275Z",
"dateUpdated": "2026-01-02T18:52:58.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-21436",
"date": "2026-04-28",
"epss": "6e-05",
"percentile": "0.00421"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-21436\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-01T18:15:41.203\",\"lastModified\":\"2026-03-04T21:33:14.970\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.\"},{\"lang\":\"es\",\"value\":\"eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podr\u00eda escapar del directorio establecido por `--destdir`. Esto requiere la instalaci\u00f3n de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no se instalar\u00edan en la ruta especificada por `--destdir`, sino en una ubicaci\u00f3n diferente en el host. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-24\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"4.4.0\",\"matchCriteriaId\":\"1E0EA986-0572-494D-A971-C2071C7E153A\"}]}]}],\"references\":[{\"url\":\"https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getsolus/eopkg/pull/201\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/getsolus/eopkg/releases/tag/v4.4.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21436\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-02T18:52:38.059266Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-02T18:52:46.207Z\"}}], \"cna\": {\"title\": \"eopkg has Path Traversal: \u0027../filedir\u0027 vulnerability\", \"source\": {\"advisory\": \"GHSA-786v-47cq-qm6m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"getsolus\", \"product\": \"eopkg\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.4.0\"}]}], \"references\": [{\"url\": \"https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m\", \"name\": \"https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getsolus/eopkg/pull/201\", \"name\": \"https://github.com/getsolus/eopkg/pull/201\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d\", \"name\": \"https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getsolus/eopkg/releases/tag/v4.4.0\", \"name\": \"https://github.com/getsolus/eopkg/releases/tag/v4.4.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-24\", \"description\": \"CWE-24: Path Traversal: \u0027../filedir\u0027\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-01T18:03:17.320Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-21436\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-02T18:52:58.220Z\", \"dateReserved\": \"2025-12-29T03:00:29.275Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-01T18:03:17.320Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…