CVE-2026-44941

Public on 2026-07-02
Modified on 2026-07-06
Description
A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.2
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core libsolv Not Affected
Amazon Linux 2023 libsolv Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H