CVE-2026-3087 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
PSF	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Affected Products (NVD)

Vendor	Product	Version
python	python	𝑥 ≤ 3.14.4
python	python	3.15.0:alpha1
python	python	3.15.0:alpha2
python	python	3.15.0:alpha3
python	python	3.15.0:alpha4
python	python	3.15.0:alpha5
python	python	3.15.0:alpha6
python	python	3.15.0:alpha7
python	python	3.15.0:alpha8

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
python	cpython	𝑥 < 3.13.14	CNA

Debian Releases

Debian Product

Codename

pypy3

bookworm	7.3.11+dfsg-2+deb12u3 fixed
bullseye	7.3.5+dfsg-2+deb11u2 fixed
bullseye (security)	7.3.5+dfsg-2+deb11u5 fixed
forky	7.3.23+dfsg-1 fixed
sid	7.3.23+dfsg-1 fixed
trixie	7.3.19+dfsg-2 fixed

python3.11

bookworm	3.11.2-6+deb12u7 fixed
bookworm (security)	3.11.2-6+deb12u3 fixed

python3.13

forky	3.13.12-1 fixed
sid	3.13.14-1 fixed
trixie	3.13.5-2+deb13u2 fixed

python3.14

forky	3.14.5-1 fixed
sid	3.14.6-1 fixed

python3.9

bullseye	3.9.2-1 fixed
bullseye (security)	3.9.2-1+deb11u7 fixed

Known Exploits!

https://github.com/python/cpython/issues/146581

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c

https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb

https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94

https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840

https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd

https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19

https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4

https://github.com/python/cpython/issues/146581

https://github.com/python/cpython/pull/146591

https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/

http://www.openwall.com/lists/oss-security/2026/04/28/9