CVE-2026-21436

EUVD-2026-0025

01.01.2026, 18:15

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
getsol	eopkg	𝑥 < 4.4.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-24 - Path Traversal: '../filedir'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

References

https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d

https://github.com/getsolus/eopkg/pull/201

https://github.com/getsolus/eopkg/releases/tag/v4.4.0

https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m