Unrated severityOSV Advisory· Published Jan 1, 2026· Updated Jan 2, 2026

eopkg has Path Traversal: '../filedir' vulnerability

CVE-2026-21436

Description

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by --destdir. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by --destdir, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

Affected products

Getsolus/EopkgOSV
Range: v3.1, v3.10, v3.2, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39dmitrex_refsource_MISC
github.com/getsolus/eopkg/pull/201mitrex_refsource_MISC
github.com/getsolus/eopkg/releases/tag/v4.4.0mitrex_refsource_MISC
github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6mmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000