CVE-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs — CVE-2026-3087

CVE · Microsoft · CVE-2026-3087

ID
CVE-2026-3087

Date
2026-04-27

Updated
2026-05-12

Activity
2026-05-12

Source
CVE

Vendor
Microsoft

Threat
medium

CVSS
6

Summary

CVE-2026-3087 is a advisory from CVE. CVE-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs Vendor: Microsoft. Severity/Threat: medium. Source updated on 2026-05-12.

Product

Security Update Guide

What to do

General, cautious steps (verify details in the official source):

Review exposure and plan remediation based on risk and environment.
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.