{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21436", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.275Z", "datePublished": "2026-01-01T18:03:17.320Z", "dateUpdated": "2026-01-02T18:52:58.220Z"}, "containers": {"cna": {"title": "eopkg has Path Traversal: '../filedir' vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-24", "lang": "en", "description": "CWE-24: Path Traversal: '../filedir'", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m"}, {"name": "https://github.com/getsolus/eopkg/pull/201", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsolus/eopkg/pull/201"}, {"name": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d"}, {"name": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0"}], "affected": [{"vendor": "getsolus", "product": "eopkg", "versions": [{"version": "< 4.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-01T18:03:17.320Z"}, "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}], "source": {"advisory": "GHSA-786v-47cq-qm6m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T18:52:38.059266Z", "id": "CVE-2026-21436", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T18:52:58.220Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-02T18:52:38.059266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T18:52:46.207Z"}}], "cna": {"title": "eopkg has Path Traversal: '../filedir' vulnerability", "source": {"advisory": "GHSA-786v-47cq-qm6m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "getsolus", "product": "eopkg", "versions": [{"status": "affected", "version": "< 4.4.0"}]}], "references": [{"url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m", "name": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getsolus/eopkg/pull/201", "name": "https://github.com/getsolus/eopkg/pull/201", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "name": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "name": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-24", "description": "CWE-24: Path Traversal: '../filedir'"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-01T18:03:17.320Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21436", "state": "PUBLISHED", "dateUpdated": "2026-01-02T18:52:58.220Z", "dateReserved": "2025-12-29T03:00:29.275Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-01T18:03:17.320Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*", "matchCriteriaId": "1E0EA986-0572-494D-A971-C2071C7E153A", "versionEndExcluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}, {"lang": "es", "value": "eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podr\u00eda escapar del directorio establecido por `--destdir`. Esto requiere la instalaci\u00f3n de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no se instalar\u00edan en la ruta especificada por `--destdir`, sino en una ubicaci\u00f3n diferente en el host. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados."}], "id": "CVE-2026-21436", "lastModified": "2026-03-04T21:33:14.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-01T18:15:41.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/getsolus/eopkg/pull/201"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-24"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:35:57.533891+00:00", "value": {"mitigation_remediation": ["Upgrade eopkg to version 4.4.0 or newer, which removes the directory traversal logic flaw.", "Ensure that all installed packages come only from the official Solus repository or are properly signed; do not install packages from unverified sources.", "Configure eopkg to enforce signature verification or restrict installation to the Solus repository to prevent accidental installation of malicious packages."], "summary": {"action": "Immediate Patch", "impact": "Directory traversal enabling arbitrary file installation outside the intended destination during package installation"}, "threat_synthesis": {"affected_systems": "GetSolus eopkg versions earlier than 4.4.0 are affected. Only installations of packages that come from untrusted or compromised sources are vulnerable; packages installed from the official Solus repositories are not impacted. The flaw applies to all platforms where eopkg is used, as the hit is on the package installation process itself.", "description_and_impact": "eopkg, the Solus package manager written in Python, contains a directory traversal flaw that allows a malicious package to bypass the --destdir option and place files at arbitrary paths on the host filesystem. The vulnerability manifests when installing a package from a source that is not properly verified, enabling the package maintainer to embed file paths that escape the targeted installation directory. This can compromise confidentiality and integrity by writing or overwriting critical files; while it does not directly provide remote code execution, it could be leveraged in conjunction with other vulnerabilities or as part of a larger attack chain.", "risk_and_exploitability": "The CVSS v3 score is 5.8, indicating a medium severity bug. The EPSS score is below 1%, implying a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to supply a malicious package and trigger eopkg to install it, so the attack vector is local or requires trust in the package source. Because of the low exploitation probability, immediate patching is still recommended but urgent response may not be critical for all users."}}}}, "created": "2026-04-18T08:45:41.401837+00:00", "updated": "2026-04-18T08:45:41.401854+00:00", "vendors": []}