PYSEC-2026-2392

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/bbot/PYSEC-2026-2392.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2392
Aliases
Published
2026-07-13T15:46:20.506716Z
Modified
2026-07-13T16:31:35.039404745Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
Details

The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.

References

Affected packages

PyPI / bbot

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.1
Fixed
2.8.5

Affected versions

2.*
2.3.1
2.3.1.5815rc0
2.3.1.5818rc0
2.3.1.5820rc0
2.3.2
2.3.2.5825rc0
2.3.2.5827rc0
2.3.2.5829rc0
2.3.2.5832rc0
2.3.2.5836rc0
2.3.2.5838rc0
2.3.2.5841rc0
2.3.2.5848rc0
2.3.2.5850rc0
2.3.2.5855rc0
2.3.2.5874rc0
2.3.2.5889rc0
2.3.2.5893rc0
2.3.2.5897rc0
2.3.2.5904rc0
2.3.2.5906rc0
2.3.2.5909rc0
2.3.2.5913rc0
2.3.2.5915rc0
2.3.2.5927rc0
2.3.2.5938rc0
2.3.2.5942rc0
2.3.2.5944rc0
2.3.2.5950rc0
2.3.2.5958rc0
2.3.2.5967rc0
2.3.2.5971rc0
2.4.0
2.4.0.5974rc0
2.4.0.5977rc0
2.4.0.5984rc0
2.4.0.5986rc0
2.4.0.5988rc0
2.4.0.5992rc0
2.4.0.5995rc0
2.4.0.5997rc0
2.4.0.5999rc0
2.4.0.6005rc0
2.4.0.6007rc0
2.4.0.6031rc0
2.4.0.6037rc0
2.4.0.6039rc0
2.4.0.6045rc0
2.4.0.6050rc0
2.4.0.6067rc0
2.4.0.6073rc0
2.4.1
2.4.1.6075rc0
2.4.1.6077rc0
2.4.1.6089rc0
2.4.1.6094rc0
2.4.1.6095rc0
2.4.1.6100rc0
2.4.1.6107rc0
2.4.2
2.4.2.6109rc0
2.4.2.6590rc0
2.4.2.6596rc0
2.4.2.6608rc0
2.4.2.6611rc0
2.4.2.6615rc0
2.4.2.6621rc0
2.4.2.6623rc0
2.4.2.6635rc0
2.4.2.6638rc0
2.4.2.6653rc0
2.4.2.6655rc0
2.4.2.6659rc0
2.4.2.6677rc0
2.4.2.6706rc0
2.5.0
2.5.0.6715rc0
2.5.0.6719rc0
2.5.0.6721rc0
2.5.0.6730rc0
2.5.0.6734rc0
2.5.0.6737rc0
2.5.0.6742rc0
2.5.0.6747rc0
2.5.0.6765rc0
2.5.0.6769rc0
2.5.0.6773rc0
2.5.0.6779rc0
2.5.0.6782rc0
2.5.0.6790rc0
2.5.0.6803rc0
2.5.0.6807rc0
2.5.0.6817rc0
2.5.0.6831rc0
2.6.0
2.6.0.6840rc0
2.6.0.6842rc0
2.6.0.6846rc0
2.6.0.6851rc0
2.6.0.6853rc0
2.6.0.6856rc0
2.6.0.6871rc0
2.6.0.6879rc0
2.6.1
2.6.1.6901rc0
2.6.1.6913rc0
2.6.1.6915rc0
2.7.0
2.7.0.6919rc0
2.7.0.6925rc0
2.7.0.6930rc0
2.7.0.6932rc0
2.7.0.6948rc0
2.7.0.6962rc0
2.7.0.6989rc0
2.7.0.6995rc0
2.7.0.7002rc0
2.7.0.7010rc0
2.7.0.7014rc0
2.7.0.7023rc0
2.7.0.7027rc0
2.7.0.7090rc0
2.7.0.7092rc0
2.7.0.7094rc0
2.7.0.7096rc0
2.7.0.7098rc0
2.7.0.7100rc0
2.7.0.7108rc0
2.7.0.7112rc0
2.7.0.7116rc0
2.7.0.7136rc0
2.7.1
2.7.1.7141rc0
2.7.1.7149rc0
2.7.1.7151rc0
2.7.1.7153rc0
2.7.1.7159rc0
2.7.1.7167rc0
2.7.1.7169rc0
2.7.1.7175rc0
2.7.1.7198rc0
2.7.1.7202rc0
2.7.1.7207rc0
2.7.1.7212rc0
2.7.2
2.7.2.7226rc0
2.7.2.7236rc0
2.7.2.7238rc0
2.7.2.7244rc0
2.7.2.7254rc0
2.7.2.7256rc0
2.7.2.7269rc0
2.7.2.7271rc0
2.7.2.7278rc0
2.7.2.7284rc0
2.7.2.7286rc0
2.7.2.7288rc0
2.7.2.7298rc0
2.7.2.7303rc0
2.7.2.7311rc0
2.7.2.7319rc0
2.7.2.7324rc0
2.7.2.7334rc0
2.7.2.7337rc0
2.7.2.7342rc0
2.7.2.7353rc0
2.7.2.7355rc0
2.7.2.7361rc0
2.7.2.7364rc0
2.7.2.7367rc0
2.7.2.7369rc0
2.7.2.7379rc0
2.7.2.7381rc0
2.7.2.7383rc0
2.7.2.7388rc0
2.7.2.7396rc0
2.7.2.7400rc0
2.7.2.7406rc0
2.7.2.7410rc0
2.7.2.7412rc0
2.7.2.7414rc0
2.7.2.7418rc0
2.7.2.7424rc0
2.7.2.7426rc0
2.7.2.7428rc0
2.7.2.7439rc0
2.8.0
2.8.0.7448rc0
2.8.0.7450rc0
2.8.0.7452rc0
2.8.0.7459rc0
2.8.1
2.8.1.7464rc0
2.8.1.7470rc0
2.8.1.7477rc0
2.8.2
2.8.2.7481rc0
2.8.2.7483rc0
2.8.2.7485rc0
2.8.2.7495rc0
2.8.2.7498rc0
2.8.2.7503rc0
2.8.2.7505rc0
2.8.2.7508rc0
2.8.2.7516rc0
2.8.3
2.8.3.7522rc0
2.8.3.7533rc0
2.8.3.7535rc0
2.8.3.7546rc0
2.8.3.7550rc0
2.8.3.7553rc0
2.8.3.7555rc0
2.8.4
2.8.4.7557rc0
2.8.4.7559rc0
2.8.4.7575rc0
2.8.4.7578rc0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/bbot/PYSEC-2026-2392.yaml"