CVE-2026-21436

01.01.2026, 18:15

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-24 - Path Traversal: '../filedir'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

References

https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d

https://github.com/getsolus/eopkg/pull/201

https://github.com/getsolus/eopkg/releases/tag/v4.4.0

https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m