Vulnerability Details CVE-2026-21436
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.5%
CVSS Severity
CVSS v3 Score 5.5
References