{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21437", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.275Z", "datePublished": "2026-01-01T18:06:02.368Z", "dateUpdated": "2026-01-02T18:54:21.061Z"}, "containers": {"cna": {"title": "eopkg vulnerable to package file list integrity bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-353", "lang": "en", "description": "CWE-353: Missing Support for Integrity Check", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6"}, {"name": "https://github.com/getsolus/eopkg/pull/201", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsolus/eopkg/pull/201"}, {"name": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d"}, {"name": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0"}], "affected": [{"vendor": "getsolus", "product": "eopkg", "versions": [{"version": "< 4.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-01T18:06:02.368Z"}, "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}], "source": {"advisory": "GHSA-hjp7-qwrj-6cc6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T18:54:04.747435Z", "id": "CVE-2026-21437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T18:54:21.061Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-02T18:54:04.747435Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T18:54:13.816Z"}}], "cna": {"title": "eopkg vulnerable to package file list integrity bypass", "source": {"advisory": "GHSA-hjp7-qwrj-6cc6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:H", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "getsolus", "product": "eopkg", "versions": [{"status": "affected", "version": "< 4.4.0"}]}], "references": [{"url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6", "name": "https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getsolus/eopkg/pull/201", "name": "https://github.com/getsolus/eopkg/pull/201", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "name": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "name": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-353", "description": "CWE-353: Missing Support for Integrity Check"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-01T18:06:02.368Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21437", "state": "PUBLISHED", "dateUpdated": "2026-01-02T18:54:21.061Z", "dateReserved": "2025-12-29T03:00:29.275Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-01T18:06:02.368Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*", "matchCriteriaId": "1E0EA986-0572-494D-A971-C2071C7E153A", "versionEndExcluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}, {"lang": "es", "value": "eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podr\u00eda incluir archivos que no son rastreados por 'eopkg'. Esto requiere la instalaci\u00f3n de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no ser\u00edan mostrados por 'lseopkg' y herramientas relacionadas. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados."}], "id": "CVE-2026-21437", "lastModified": "2026-03-04T21:31:50.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-01T18:15:41.347", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/getsolus/eopkg/pull/201"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-353"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:35:39.568909+00:00", "value": {"mitigation_remediation": ["Upgrade eopkg to version 4.4.0 or later to apply the fixed integrity check. ", "Reinstall or remove any packages that were installed from untrusted or third\u2011party sources, and verify that all installed files are now tracked by eopkg tools. ", "Ensure that future package installations are sourced only from the official Solus repository to prevent similar integrity bypass attempts."], "summary": {"action": "Apply patch", "impact": "Integrity bypass of package file list"}, "threat_synthesis": {"affected_systems": "Versions of eopkg older than 4.4.0, bundled with Solus, are affected. The package manager is implemented in Python3, and only installations from the official Solus repositories are safe. Users who install packages from other sources may be impacted.", "description_and_impact": "A malicious package can include files that are not recorded by the eopkg package manager. This bypasses the integrity mechanism that tracks installed files, allowing files to exist on the system without being listed by tools such as lseopkg. The vulnerability is a CWE-353 scenario where an attacker can deliver hidden files that evade standard package management tracking, potentially compromising system integrity and making removal or auditing difficult.", "risk_and_exploitability": "The CVSS score is 2, indicating low severity. The EPSS score is below 1%, showing a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit it by installing a malicious or compromised package from an untrusted source, which requires local installation privileges or the ability to place a crafted package in a repository. Because the flaw only manifests during package installation and the fix appears in v4.4.0, the current risk to users relying solely on official repositories is minimal, but the risk rises if third\u2011party packages are used."}}}}, "created": "2026-04-18T08:45:41.401403+00:00", "updated": "2026-04-18T08:45:41.401420+00:00", "vendors": []}