GHSA-3vgw-585j-4m45

Source

https://github.com/advisories/GHSA-3vgw-585j-4m45

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3vgw-585j-4m45/GHSA-3vgw-585j-4m45.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3vgw-585j-4m45

Aliases

CVE-2026-12565

Published

2026-06-18T15:02:35Z

Modified

2026-06-18T15:17:19.082386765Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284

Details

The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T15:02:35Z",
    "nvd_published_at": "2026-06-17T23:17:02Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22",
        "CWE-61"
    ]
}

References

Affected packages

PyPI / bbot

Package

Name: bbot; View open source insights on deps.dev
Purl: pkg:pypi/bbot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.1

Fixed

2.8.5

Affected versions

2.*

2.3.1

2.3.1.5815rc0

2.3.1.5818rc0

2.3.1.5820rc0

2.3.2

2.3.2.5825rc0

2.3.2.5827rc0

2.3.2.5829rc0

2.3.2.5832rc0

2.3.2.5836rc0

2.3.2.5838rc0

2.3.2.5841rc0

2.3.2.5848rc0

2.3.2.5850rc0

2.3.2.5855rc0

2.3.2.5874rc0

2.3.2.5889rc0

2.3.2.5893rc0

2.3.2.5897rc0

2.3.2.5904rc0

2.3.2.5906rc0

2.3.2.5909rc0

2.3.2.5913rc0

2.3.2.5915rc0

2.3.2.5927rc0

2.3.2.5938rc0

2.3.2.5942rc0

2.3.2.5944rc0

2.3.2.5950rc0

2.3.2.5958rc0

2.3.2.5967rc0

2.3.2.5971rc0

2.4.0

2.4.0.5974rc0

2.4.0.5977rc0

2.4.0.5984rc0

2.4.0.5986rc0

2.4.0.5988rc0

2.4.0.5992rc0

2.4.0.5995rc0

2.4.0.5997rc0

2.4.0.5999rc0

2.4.0.6005rc0

2.4.0.6007rc0

2.4.0.6031rc0

2.4.0.6037rc0

2.4.0.6039rc0

2.4.0.6045rc0

2.4.0.6050rc0

2.4.0.6067rc0

2.4.0.6073rc0

2.4.1

2.4.1.6075rc0

2.4.1.6077rc0

2.4.1.6089rc0

2.4.1.6094rc0

2.4.1.6095rc0

2.4.1.6100rc0

2.4.1.6107rc0

2.4.2

2.4.2.6109rc0

2.4.2.6590rc0

2.4.2.6596rc0

2.4.2.6608rc0

2.4.2.6611rc0

2.4.2.6615rc0

2.4.2.6621rc0

2.4.2.6623rc0

2.4.2.6635rc0

2.4.2.6638rc0

2.4.2.6653rc0

2.4.2.6655rc0

2.4.2.6659rc0

2.4.2.6677rc0

2.4.2.6706rc0

2.5.0

2.5.0.6715rc0

2.5.0.6719rc0

2.5.0.6721rc0

2.5.0.6730rc0

2.5.0.6734rc0

2.5.0.6737rc0

2.5.0.6742rc0

2.5.0.6747rc0

2.5.0.6765rc0

2.5.0.6769rc0

2.5.0.6773rc0

2.5.0.6779rc0

2.5.0.6782rc0

2.5.0.6790rc0

2.5.0.6803rc0

2.5.0.6807rc0

2.5.0.6817rc0

2.5.0.6831rc0

2.6.0

2.6.0.6840rc0

2.6.0.6842rc0

2.6.0.6846rc0

2.6.0.6851rc0

2.6.0.6853rc0

2.6.0.6856rc0

2.6.0.6871rc0

2.6.0.6879rc0

2.6.1

2.6.1.6901rc0

2.6.1.6913rc0

2.6.1.6915rc0

2.7.0

2.7.0.6919rc0

2.7.0.6925rc0

2.7.0.6930rc0

2.7.0.6932rc0

2.7.0.6948rc0

2.7.0.6962rc0

2.7.0.6989rc0

2.7.0.6995rc0

2.7.0.7002rc0

2.7.0.7010rc0

2.7.0.7014rc0

2.7.0.7023rc0

2.7.0.7027rc0

2.7.0.7090rc0

2.7.0.7092rc0

2.7.0.7094rc0

2.7.0.7096rc0

2.7.0.7098rc0

2.7.0.7100rc0

2.7.0.7108rc0

2.7.0.7112rc0

2.7.0.7116rc0

2.7.0.7136rc0

2.7.1

2.7.1.7141rc0

2.7.1.7149rc0

2.7.1.7151rc0

2.7.1.7153rc0

2.7.1.7159rc0

2.7.1.7167rc0

2.7.1.7169rc0

2.7.1.7175rc0

2.7.1.7198rc0

2.7.1.7202rc0

2.7.1.7207rc0

2.7.1.7212rc0

2.7.2

2.7.2.7226rc0

2.7.2.7236rc0

2.7.2.7238rc0

2.7.2.7244rc0

2.7.2.7254rc0

2.7.2.7256rc0

2.7.2.7269rc0

2.7.2.7271rc0

2.7.2.7278rc0

2.7.2.7284rc0

2.7.2.7286rc0

2.7.2.7288rc0

2.7.2.7298rc0

2.7.2.7303rc0

2.7.2.7311rc0

2.7.2.7319rc0

2.7.2.7324rc0

2.7.2.7334rc0

2.7.2.7337rc0

2.7.2.7342rc0

2.7.2.7353rc0

2.7.2.7355rc0

2.7.2.7361rc0

2.7.2.7364rc0

2.7.2.7367rc0

2.7.2.7369rc0

2.7.2.7379rc0

2.7.2.7381rc0

2.7.2.7383rc0

2.7.2.7388rc0

2.7.2.7396rc0

2.7.2.7400rc0

2.7.2.7406rc0

2.7.2.7410rc0

2.7.2.7412rc0

2.7.2.7414rc0

2.7.2.7418rc0

2.7.2.7424rc0

2.7.2.7426rc0

2.7.2.7428rc0

2.7.2.7439rc0

2.8.0

2.8.0.7448rc0

2.8.0.7450rc0

2.8.0.7452rc0

2.8.0.7459rc0

2.8.1

2.8.1.7464rc0

2.8.1.7470rc0

2.8.1.7477rc0

2.8.2

2.8.2.7481rc0

2.8.2.7483rc0

2.8.2.7485rc0

2.8.2.7495rc0

2.8.2.7498rc0

2.8.2.7503rc0

2.8.2.7505rc0

2.8.2.7508rc0

2.8.2.7516rc0

2.8.3

2.8.3.7522rc0

2.8.3.7533rc0

2.8.3.7535rc0

2.8.3.7546rc0

2.8.3.7550rc0

2.8.3.7553rc0

2.8.3.7555rc0

2.8.4

2.8.4.7557rc0

2.8.4.7559rc0

2.8.4.7575rc0

2.8.4.7578rc0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3vgw-585j-4m45/GHSA-3vgw-585j-4m45.json"

last_known_affected_version_range

"<= 2.8.4"