CVE-2026-21436 – eopkg has Path Traversal: ‘../filedir’ vulnerability

CVE ID : CVE-2026-21436

Published : Jan. 1, 2026, 6:03 p.m. | 22 minutes ago

Description : eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `–destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `–destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…