PYSEC-2026-2392
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:03
VLAI
Details
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.
Severity
5.3 (Medium)
Impacted products
| Name | purl | bbot | pkg:pypi/bbot |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bbot",
"purl": "pkg:pypi/bbot"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.1"
},
{
"fixed": "2.8.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.1",
"2.3.1.5815rc0",
"2.3.1.5818rc0",
"2.3.1.5820rc0",
"2.3.2",
"2.3.2.5825rc0",
"2.3.2.5827rc0",
"2.3.2.5829rc0",
"2.3.2.5832rc0",
"2.3.2.5836rc0",
"2.3.2.5838rc0",
"2.3.2.5841rc0",
"2.3.2.5848rc0",
"2.3.2.5850rc0",
"2.3.2.5855rc0",
"2.3.2.5874rc0",
"2.3.2.5889rc0",
"2.3.2.5893rc0",
"2.3.2.5897rc0",
"2.3.2.5904rc0",
"2.3.2.5906rc0",
"2.3.2.5909rc0",
"2.3.2.5913rc0",
"2.3.2.5915rc0",
"2.3.2.5927rc0",
"2.3.2.5938rc0",
"2.3.2.5942rc0",
"2.3.2.5944rc0",
"2.3.2.5950rc0",
"2.3.2.5958rc0",
"2.3.2.5967rc0",
"2.3.2.5971rc0",
"2.4.0",
"2.4.0.5974rc0",
"2.4.0.5977rc0",
"2.4.0.5984rc0",
"2.4.0.5986rc0",
"2.4.0.5988rc0",
"2.4.0.5992rc0",
"2.4.0.5995rc0",
"2.4.0.5997rc0",
"2.4.0.5999rc0",
"2.4.0.6005rc0",
"2.4.0.6007rc0",
"2.4.0.6031rc0",
"2.4.0.6037rc0",
"2.4.0.6039rc0",
"2.4.0.6045rc0",
"2.4.0.6050rc0",
"2.4.0.6067rc0",
"2.4.0.6073rc0",
"2.4.1",
"2.4.1.6075rc0",
"2.4.1.6077rc0",
"2.4.1.6089rc0",
"2.4.1.6094rc0",
"2.4.1.6095rc0",
"2.4.1.6100rc0",
"2.4.1.6107rc0",
"2.4.2",
"2.4.2.6109rc0",
"2.4.2.6590rc0",
"2.4.2.6596rc0",
"2.4.2.6608rc0",
"2.4.2.6611rc0",
"2.4.2.6615rc0",
"2.4.2.6621rc0",
"2.4.2.6623rc0",
"2.4.2.6635rc0",
"2.4.2.6638rc0",
"2.4.2.6653rc0",
"2.4.2.6655rc0",
"2.4.2.6659rc0",
"2.4.2.6677rc0",
"2.4.2.6706rc0",
"2.5.0",
"2.5.0.6715rc0",
"2.5.0.6719rc0",
"2.5.0.6721rc0",
"2.5.0.6730rc0",
"2.5.0.6734rc0",
"2.5.0.6737rc0",
"2.5.0.6742rc0",
"2.5.0.6747rc0",
"2.5.0.6765rc0",
"2.5.0.6769rc0",
"2.5.0.6773rc0",
"2.5.0.6779rc0",
"2.5.0.6782rc0",
"2.5.0.6790rc0",
"2.5.0.6803rc0",
"2.5.0.6807rc0",
"2.5.0.6817rc0",
"2.5.0.6831rc0",
"2.6.0",
"2.6.0.6840rc0",
"2.6.0.6842rc0",
"2.6.0.6846rc0",
"2.6.0.6851rc0",
"2.6.0.6853rc0",
"2.6.0.6856rc0",
"2.6.0.6871rc0",
"2.6.0.6879rc0",
"2.6.1",
"2.6.1.6901rc0",
"2.6.1.6913rc0",
"2.6.1.6915rc0",
"2.7.0",
"2.7.0.6919rc0",
"2.7.0.6925rc0",
"2.7.0.6930rc0",
"2.7.0.6932rc0",
"2.7.0.6948rc0",
"2.7.0.6962rc0",
"2.7.0.6989rc0",
"2.7.0.6995rc0",
"2.7.0.7002rc0",
"2.7.0.7010rc0",
"2.7.0.7014rc0",
"2.7.0.7023rc0",
"2.7.0.7027rc0",
"2.7.0.7090rc0",
"2.7.0.7092rc0",
"2.7.0.7094rc0",
"2.7.0.7096rc0",
"2.7.0.7098rc0",
"2.7.0.7100rc0",
"2.7.0.7108rc0",
"2.7.0.7112rc0",
"2.7.0.7116rc0",
"2.7.0.7136rc0",
"2.7.1",
"2.7.1.7141rc0",
"2.7.1.7149rc0",
"2.7.1.7151rc0",
"2.7.1.7153rc0",
"2.7.1.7159rc0",
"2.7.1.7167rc0",
"2.7.1.7169rc0",
"2.7.1.7175rc0",
"2.7.1.7198rc0",
"2.7.1.7202rc0",
"2.7.1.7207rc0",
"2.7.1.7212rc0",
"2.7.2",
"2.7.2.7226rc0",
"2.7.2.7236rc0",
"2.7.2.7238rc0",
"2.7.2.7244rc0",
"2.7.2.7254rc0",
"2.7.2.7256rc0",
"2.7.2.7269rc0",
"2.7.2.7271rc0",
"2.7.2.7278rc0",
"2.7.2.7284rc0",
"2.7.2.7286rc0",
"2.7.2.7288rc0",
"2.7.2.7298rc0",
"2.7.2.7303rc0",
"2.7.2.7311rc0",
"2.7.2.7319rc0",
"2.7.2.7324rc0",
"2.7.2.7334rc0",
"2.7.2.7337rc0",
"2.7.2.7342rc0",
"2.7.2.7353rc0",
"2.7.2.7355rc0",
"2.7.2.7361rc0",
"2.7.2.7364rc0",
"2.7.2.7367rc0",
"2.7.2.7369rc0",
"2.7.2.7379rc0",
"2.7.2.7381rc0",
"2.7.2.7383rc0",
"2.7.2.7388rc0",
"2.7.2.7396rc0",
"2.7.2.7400rc0",
"2.7.2.7406rc0",
"2.7.2.7410rc0",
"2.7.2.7412rc0",
"2.7.2.7414rc0",
"2.7.2.7418rc0",
"2.7.2.7424rc0",
"2.7.2.7426rc0",
"2.7.2.7428rc0",
"2.7.2.7439rc0",
"2.8.0",
"2.8.0.7448rc0",
"2.8.0.7450rc0",
"2.8.0.7452rc0",
"2.8.0.7459rc0",
"2.8.1",
"2.8.1.7464rc0",
"2.8.1.7470rc0",
"2.8.1.7477rc0",
"2.8.2",
"2.8.2.7481rc0",
"2.8.2.7483rc0",
"2.8.2.7485rc0",
"2.8.2.7495rc0",
"2.8.2.7498rc0",
"2.8.2.7503rc0",
"2.8.2.7505rc0",
"2.8.2.7508rc0",
"2.8.2.7516rc0",
"2.8.3",
"2.8.3.7522rc0",
"2.8.3.7533rc0",
"2.8.3.7535rc0",
"2.8.3.7546rc0",
"2.8.3.7550rc0",
"2.8.3.7553rc0",
"2.8.3.7555rc0",
"2.8.4",
"2.8.4.7557rc0",
"2.8.4.7559rc0",
"2.8.4.7575rc0",
"2.8.4.7578rc0"
]
}
],
"aliases": [
"CVE-2026-12565",
"GHSA-3vgw-585j-4m45"
],
"details": "The `unarchive` internal module\u0027s archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar \u003c 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.",
"id": "PYSEC-2026-2392",
"modified": "2026-07-13T16:03:36.093915Z",
"published": "2026-07-13T15:46:20.506716Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-3vgw-585j-4m45"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12565"
},
{
"type": "WEB",
"url": "https://github.com/blacklanternsecurity/bbot/commit/4fb38fd6e"
},
{
"type": "PACKAGE",
"url": "https://github.com/blacklanternsecurity/bbot"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/bbot"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3vgw-585j-4m45"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…