Description
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Published: 2026-01-01
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Integrity bypass of package file list
Action: Apply patch
AI Analysis

Impact

A malicious package can include files that are not recorded by the eopkg package manager. This bypasses the integrity mechanism that tracks installed files, allowing files to exist on the system without being listed by tools such as lseopkg. The vulnerability is a CWE-353 scenario where an attacker can deliver hidden files that evade standard package management tracking, potentially compromising system integrity and making removal or auditing difficult.

Affected Systems

Versions of eopkg older than 4.4.0, bundled with Solus, are affected. The package manager is implemented in Python3, and only installations from the official Solus repositories are safe. Users who install packages from other sources may be impacted.

Risk and Exploitability

The CVSS score is 2, indicating low severity. The EPSS score is below 1%, showing a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by installing a malicious or compromised package from an untrusted source, which requires local installation privileges or the ability to place a crafted package in a repository. Because the flaw only manifests during package installation and the fix appears in v4.4.0, the current risk to users relying solely on official repositories is minimal, but the risk rises if third‑party packages are used.

Generated by OpenCVE AI on April 18, 2026 at 08:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eopkg to version 4.4.0 or later to apply the fixed integrity check.
  • Reinstall or remove any packages that were installed from untrusted or third‑party sources, and verify that all installed files are now tracked by eopkg tools.
  • Ensure that future package installations are sourced only from the official Solus repository to prevent similar integrity bypass attempts.

Generated by OpenCVE AI on April 18, 2026 at 08:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Getsol
Getsol eopkg
CPEs cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*
Vendors & Products Getsol
Getsol eopkg
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 02 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 01 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Title eopkg vulnerable to package file list integrity bypass
Weaknesses CWE-353
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:H'}

Subscriptions

Getsol Eopkg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-02T18:54:21.061Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21437

cve-icon Vulnrichment

Updated: 2026-01-02T18:54:13.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-01T18:15:41.347

Modified: 2026-03-04T21:31:50.400

Link: CVE-2026-21437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses