Description
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Published: 2026-01-01
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Directory traversal enabling arbitrary file installation outside the intended destination during package installation
Action: Immediate Patch
AI Analysis

Impact

eopkg, the Solus package manager written in Python, contains a directory traversal flaw that allows a malicious package to bypass the --destdir option and place files at arbitrary paths on the host filesystem. The vulnerability manifests when installing a package from a source that is not properly verified, enabling the package maintainer to embed file paths that escape the targeted installation directory. This can compromise confidentiality and integrity by writing or overwriting critical files; while it does not directly provide remote code execution, it could be leveraged in conjunction with other vulnerabilities or as part of a larger attack chain.

Affected Systems

GetSolus eopkg versions earlier than 4.4.0 are affected. Only installations of packages that come from untrusted or compromised sources are vulnerable; packages installed from the official Solus repositories are not impacted. The flaw applies to all platforms where eopkg is used, as the hit is on the package installation process itself.

Risk and Exploitability

The CVSS v3 score is 5.8, indicating a medium severity bug. The EPSS score is below 1%, implying a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to supply a malicious package and trigger eopkg to install it, so the attack vector is local or requires trust in the package source. Because of the low exploitation probability, immediate patching is still recommended but urgent response may not be critical for all users.

Generated by OpenCVE AI on April 18, 2026 at 08:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eopkg to version 4.4.0 or newer, which removes the directory traversal logic flaw.
  • Ensure that all installed packages come only from the official Solus repository or are properly signed; do not install packages from unverified sources.
  • Configure eopkg to enforce signature verification or restrict installation to the Solus repository to prevent accidental installation of malicious packages.

Generated by OpenCVE AI on April 18, 2026 at 08:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Getsol
Getsol eopkg
CPEs cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*
Vendors & Products Getsol
Getsol eopkg
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 02 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 01 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Title eopkg has Path Traversal: '../filedir' vulnerability
Weaknesses CWE-24
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H'}

Subscriptions

Getsol Eopkg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-02T18:52:58.220Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21436

cve-icon Vulnrichment

Updated: 2026-01-02T18:52:46.207Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-01T18:15:41.203

Modified: 2026-03-04T21:33:14.970

Link: CVE-2026-21436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses