PYSEC-2026-2392

Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:03
VLAI
Details

The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.

Impacted products
Name purl
bbot pkg:pypi/bbot

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bbot",
        "purl": "pkg:pypi/bbot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.1"
            },
            {
              "fixed": "2.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.1",
        "2.3.1.5815rc0",
        "2.3.1.5818rc0",
        "2.3.1.5820rc0",
        "2.3.2",
        "2.3.2.5825rc0",
        "2.3.2.5827rc0",
        "2.3.2.5829rc0",
        "2.3.2.5832rc0",
        "2.3.2.5836rc0",
        "2.3.2.5838rc0",
        "2.3.2.5841rc0",
        "2.3.2.5848rc0",
        "2.3.2.5850rc0",
        "2.3.2.5855rc0",
        "2.3.2.5874rc0",
        "2.3.2.5889rc0",
        "2.3.2.5893rc0",
        "2.3.2.5897rc0",
        "2.3.2.5904rc0",
        "2.3.2.5906rc0",
        "2.3.2.5909rc0",
        "2.3.2.5913rc0",
        "2.3.2.5915rc0",
        "2.3.2.5927rc0",
        "2.3.2.5938rc0",
        "2.3.2.5942rc0",
        "2.3.2.5944rc0",
        "2.3.2.5950rc0",
        "2.3.2.5958rc0",
        "2.3.2.5967rc0",
        "2.3.2.5971rc0",
        "2.4.0",
        "2.4.0.5974rc0",
        "2.4.0.5977rc0",
        "2.4.0.5984rc0",
        "2.4.0.5986rc0",
        "2.4.0.5988rc0",
        "2.4.0.5992rc0",
        "2.4.0.5995rc0",
        "2.4.0.5997rc0",
        "2.4.0.5999rc0",
        "2.4.0.6005rc0",
        "2.4.0.6007rc0",
        "2.4.0.6031rc0",
        "2.4.0.6037rc0",
        "2.4.0.6039rc0",
        "2.4.0.6045rc0",
        "2.4.0.6050rc0",
        "2.4.0.6067rc0",
        "2.4.0.6073rc0",
        "2.4.1",
        "2.4.1.6075rc0",
        "2.4.1.6077rc0",
        "2.4.1.6089rc0",
        "2.4.1.6094rc0",
        "2.4.1.6095rc0",
        "2.4.1.6100rc0",
        "2.4.1.6107rc0",
        "2.4.2",
        "2.4.2.6109rc0",
        "2.4.2.6590rc0",
        "2.4.2.6596rc0",
        "2.4.2.6608rc0",
        "2.4.2.6611rc0",
        "2.4.2.6615rc0",
        "2.4.2.6621rc0",
        "2.4.2.6623rc0",
        "2.4.2.6635rc0",
        "2.4.2.6638rc0",
        "2.4.2.6653rc0",
        "2.4.2.6655rc0",
        "2.4.2.6659rc0",
        "2.4.2.6677rc0",
        "2.4.2.6706rc0",
        "2.5.0",
        "2.5.0.6715rc0",
        "2.5.0.6719rc0",
        "2.5.0.6721rc0",
        "2.5.0.6730rc0",
        "2.5.0.6734rc0",
        "2.5.0.6737rc0",
        "2.5.0.6742rc0",
        "2.5.0.6747rc0",
        "2.5.0.6765rc0",
        "2.5.0.6769rc0",
        "2.5.0.6773rc0",
        "2.5.0.6779rc0",
        "2.5.0.6782rc0",
        "2.5.0.6790rc0",
        "2.5.0.6803rc0",
        "2.5.0.6807rc0",
        "2.5.0.6817rc0",
        "2.5.0.6831rc0",
        "2.6.0",
        "2.6.0.6840rc0",
        "2.6.0.6842rc0",
        "2.6.0.6846rc0",
        "2.6.0.6851rc0",
        "2.6.0.6853rc0",
        "2.6.0.6856rc0",
        "2.6.0.6871rc0",
        "2.6.0.6879rc0",
        "2.6.1",
        "2.6.1.6901rc0",
        "2.6.1.6913rc0",
        "2.6.1.6915rc0",
        "2.7.0",
        "2.7.0.6919rc0",
        "2.7.0.6925rc0",
        "2.7.0.6930rc0",
        "2.7.0.6932rc0",
        "2.7.0.6948rc0",
        "2.7.0.6962rc0",
        "2.7.0.6989rc0",
        "2.7.0.6995rc0",
        "2.7.0.7002rc0",
        "2.7.0.7010rc0",
        "2.7.0.7014rc0",
        "2.7.0.7023rc0",
        "2.7.0.7027rc0",
        "2.7.0.7090rc0",
        "2.7.0.7092rc0",
        "2.7.0.7094rc0",
        "2.7.0.7096rc0",
        "2.7.0.7098rc0",
        "2.7.0.7100rc0",
        "2.7.0.7108rc0",
        "2.7.0.7112rc0",
        "2.7.0.7116rc0",
        "2.7.0.7136rc0",
        "2.7.1",
        "2.7.1.7141rc0",
        "2.7.1.7149rc0",
        "2.7.1.7151rc0",
        "2.7.1.7153rc0",
        "2.7.1.7159rc0",
        "2.7.1.7167rc0",
        "2.7.1.7169rc0",
        "2.7.1.7175rc0",
        "2.7.1.7198rc0",
        "2.7.1.7202rc0",
        "2.7.1.7207rc0",
        "2.7.1.7212rc0",
        "2.7.2",
        "2.7.2.7226rc0",
        "2.7.2.7236rc0",
        "2.7.2.7238rc0",
        "2.7.2.7244rc0",
        "2.7.2.7254rc0",
        "2.7.2.7256rc0",
        "2.7.2.7269rc0",
        "2.7.2.7271rc0",
        "2.7.2.7278rc0",
        "2.7.2.7284rc0",
        "2.7.2.7286rc0",
        "2.7.2.7288rc0",
        "2.7.2.7298rc0",
        "2.7.2.7303rc0",
        "2.7.2.7311rc0",
        "2.7.2.7319rc0",
        "2.7.2.7324rc0",
        "2.7.2.7334rc0",
        "2.7.2.7337rc0",
        "2.7.2.7342rc0",
        "2.7.2.7353rc0",
        "2.7.2.7355rc0",
        "2.7.2.7361rc0",
        "2.7.2.7364rc0",
        "2.7.2.7367rc0",
        "2.7.2.7369rc0",
        "2.7.2.7379rc0",
        "2.7.2.7381rc0",
        "2.7.2.7383rc0",
        "2.7.2.7388rc0",
        "2.7.2.7396rc0",
        "2.7.2.7400rc0",
        "2.7.2.7406rc0",
        "2.7.2.7410rc0",
        "2.7.2.7412rc0",
        "2.7.2.7414rc0",
        "2.7.2.7418rc0",
        "2.7.2.7424rc0",
        "2.7.2.7426rc0",
        "2.7.2.7428rc0",
        "2.7.2.7439rc0",
        "2.8.0",
        "2.8.0.7448rc0",
        "2.8.0.7450rc0",
        "2.8.0.7452rc0",
        "2.8.0.7459rc0",
        "2.8.1",
        "2.8.1.7464rc0",
        "2.8.1.7470rc0",
        "2.8.1.7477rc0",
        "2.8.2",
        "2.8.2.7481rc0",
        "2.8.2.7483rc0",
        "2.8.2.7485rc0",
        "2.8.2.7495rc0",
        "2.8.2.7498rc0",
        "2.8.2.7503rc0",
        "2.8.2.7505rc0",
        "2.8.2.7508rc0",
        "2.8.2.7516rc0",
        "2.8.3",
        "2.8.3.7522rc0",
        "2.8.3.7533rc0",
        "2.8.3.7535rc0",
        "2.8.3.7546rc0",
        "2.8.3.7550rc0",
        "2.8.3.7553rc0",
        "2.8.3.7555rc0",
        "2.8.4",
        "2.8.4.7557rc0",
        "2.8.4.7559rc0",
        "2.8.4.7575rc0",
        "2.8.4.7578rc0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-12565",
    "GHSA-3vgw-585j-4m45"
  ],
  "details": "The `unarchive` internal module\u0027s archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar \u003c 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.",
  "id": "PYSEC-2026-2392",
  "modified": "2026-07-13T16:03:36.093915Z",
  "published": "2026-07-13T15:46:20.506716Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-3vgw-585j-4m45"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12565"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blacklanternsecurity/bbot/commit/4fb38fd6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/blacklanternsecurity/bbot"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/bbot"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-3vgw-585j-4m45"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…