{"id":"PSF-2026-22","details":"If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.","aliases":["CVE-2026-3087"],"modified":"2026-04-28T02:00:09.789598Z","published":"2026-04-27T20:46:43.201Z","database_specific":{"cwe_ids":[]},"references":[{"type":"WEB","url":"https://github.com/python/cpython/pull/146591"},{"type":"REPORT","url":"https://github.com/python/cpython/issues/146581"},{"type":"ADVISORY","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-22.json"}}],"schema_version":"1.7.5"}