GHSA-3vgw-585j-4m45 · Severity: medium · Ecosystem: pip — BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.
Conclusion & alert: CVE-2026-12565 is rated Low Risk (25/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.21%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-18 | — | 0.21% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
1.6 | 3.6 | [email protected] |
GHSA-3vgw-585j-4m45 · Severity: medium · Ecosystem: pip — BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||