CVE-2026-21437
2
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:H
Summary
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by eopkg. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by lseopkg and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| getsolus | eopkg | < 4.4.0 | affected |
Weaknesses
- CWE-353: CWE-353: Missing Support for Integrity Check
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6
- https://github.com/getsolus/eopkg/pull/201
- https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
- https://github.com/getsolus/eopkg/releases/tag/v4.4.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.