PT-2026-44197 · Rpm · Rpm

Published

2026-05-28

·

Updated

2026-07-06

·

CVE-2026-44604

CVSS v3.1

7.0

High

VectorAV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions RPM (affected versions not specified)
Description A command injection issue exists in the rpmuncompress utility. When extracting ZIP, 7z, or GEM archive formats to a destination directory, the tool fails to sanitize the top-level folder name before inserting it into a shell command. An attacker can use a specially crafted archive with shell metacharacters in the folder name to execute arbitrary commands with the privileges of the user performing the extraction.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44604
ECHO-AABB-5650-DEE3
OPENSUSE-SU-2026:11193-1
RHSA-2026:28491

Affected Products

Rpm