CVE-2026-21436

Summary

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by --destdir. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by --destdir, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

Affected Software

VendorProductVersion RangeStatus
getsoluseopkg< 4.4.0affected

Weaknesses

  • CWE-24: CWE-24: Path Traversal: '../filedir'

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References