{"id":"CVE-2026-44941","summary":"libzypp path traversal via \"keyhint\" in repomd.xml","details":"A relative path traversal in the \"keyhint\" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.","modified":"2026-07-09T04:02:37.300244557Z","published":"2026-07-02T15:19:05.302Z","related":["SUSE-SU-2026:22062-1","SUSE-SU-2026:22073-1","SUSE-SU-2026:22172-1","SUSE-SU-2026:22221-1","SUSE-SU-2026:2531-1","SUSE-SU-2026:2575-1","SUSE-SU-2026:2590-1","SUSE-SU-2026:2674-1","openSUSE-SU-2026:10984-1","openSUSE-SU-2026:21096-1"],"database_specific":{"cwe_ids":["CWE-23"],"cna_assigner":"suse","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44941.json"},"references":[{"type":"WEB","url":"https://github.com/openSUSE/libzypp/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44941.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44941"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1267426"},{"type":"FIX","url":"https://github.com/openSUSE/libzypp/commit/294b1bad442d089ca671c5c03adc8031e3b29e04"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensuse/libzypp","events":[{"introduced":"0"},{"fixed":"432186e6f756aec69f03cffc8238f7c81aaf6ff2"},{"fixed":"294b1bad442d089ca671c5c03adc8031e3b29e04"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:opensuse:libzypp:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"17.38.12"}]}}],"versions":["17.38.11","17.38.10","17.38.9","17.38.8","17.38.7","17.38.6","17.38.5","17.38.4","17.38.3","17.38.2","17.38.1","17.38.0","17.37.18","17.37.17","17.37.16","17.37.15","17.37.14","17.37.13","17.37.12","17.37.11","17.37.10","17.37.9","17.37.8","17.37.7","17.37.6","17.37.5","17.37.4","17.37.3","17.37.2","17.37.1","17.37.0","17.36.7","17.36.6","17.36.5","17.36.4","17.36.3","17.36.2","17.36.1","17.36.0","17.35.19","17.35.18","17.35.17","17.35.16","17.35.15","17.35.14","17.35.13","17.35.12","17.35.11","17.35.10","17.35.9","17.35.8","17.35.7","17.35.6","17.35.5","17.35.4","17.35.3","17.35.2","17.35.1","17.35.0","17.34.2","17.34.1","17.34.0","17.33.4","17.33.3","17.33.2","17.33.1","17.33.0","17.32.6","17.32.5","17.32.4","17.32.3","17.32.2","17.32.1","17.32.0","17.31.32","17.31.31","17.31.30","17.31.29","17.31.28","17.31.27","17.31.26","17.31.25","17.31.24","17.31.23","17.31.22","17.31.21","17.31.20","17.31.19","17.31.18","17.31.17","17.31.16","17.31.15","17.31.14","17.31.13","17.31.12","17.31.11","17.31.10","17.31.9","17.31.8","17.31.7","17.31.6","17.31.5","17.31.4","17.31.3","17.31.2","17.31.1","17.31.0","17.30.3","17.30.2","17.30.1","17.30.0","17.29.7","17.29.6","17.29.4","17.29.5","17.29.3","17.29.2","17.29.1","17.29.0","17.28.8","17.28.7","17.28.6","17.28.5","17.28.4","17.28.3","17.28.2","17.28.1","17.28.0","17.27.0","17.26.0","17.25.10","17.25.9","17.25.6","17.25.5","17.25.4","17.25.3","17.25.2","17.25.1","17.25.0","17.24.2","17.24.1","17.24.0","17.23.8","17.23.7","17.23.6","17.23.5","17.23.4","17.23.3","17.23.2","17.23.1","17.23.0","17.22.1","17.22.0","17.21.0","17.20.0","17.19.0","17.18.1","17.18.0","17.17.0","17.16.0","17.15.0","17.14.1","17.14.0","17.13.0","17.12.0","17.11.4","17.11.3","17.11.2","17.11.1","17.11.0","17.10.3","17.10.2","17.10.1","17.10.0","17.9.0","17.8.1","17.8.0","17.7.2","17.7.1","17.7.0","17.6.4","17.6.3","17.6.2","17.6.1","17.6.0","17.5.2","17.5.1","17.5.0","17.4.0","17.3.1","17.3.0","17.2.2","17.2.1","17.2.0","17.1.3","17.1.2","17.1.1","17.1.0","17.0.5","17.0.4","17.0.3","17.0.2","17.0.1","17.0.0","BASE-SuSE-SLE-12-SP2-Branch","16.17.3","16.17.2","16.17.1","16.17.0","16.16.0","16.15.6","16.15.5","16.15.4","16.15.3","16.15.2","16.15.1","16.15.0","16.14.0","16.13.0","16.12.0","16.11.0","16.10.0","16.9.0","16.8.0","16.7.0","16.6.1","16.6.0","16.5.2","16.5.1","16.5.0","16.4.3","16.4.2","16.4.1","16.4.0","16.3.2","16.3.1","16.3.0","16.2.25","16.2.4","16.2.3","16.2.2","16.2.1","16.2.0","16.1.3","16.1.2","16.1.0","16.0.5","16.0.3","16.0.0","BASE-SuSE-SLE-12-SP1-Branch","15.22.0","15.21.7","15.21.6","15.21.5","15.21.4","15.21.3","15.21.2","15.21.1","15.21.0","15.20.0","15.19.7","15.19.6","15.19.5","15.19.4","15.19.3","15.19.2","15.19.1","15.19.0","15.18.0","15.17.2","15.17.1","15.17.0","15.16.2","15.16.1","15.16.0","15.15.0","15.14.0","15.13.0","15.12.0","15.11.0","15.10.0","15.9.0","15.8.0","15.7.0","15.6.0","15.5.0","15.4.1","15.4.0","15.3.0","15.2.0","15.1.3","15.1.2","15.1.1","15.1.0","15.0.0","BASE-SuSE-SLE-12-Branch","14.38.1","14.38.0","14.37.1","14.37.0","14.36.0","14.35.0","14.34.0","14.33.0","14.32.2","14.32.1","14.32.0","14.31.0","14.30.2","14.30.1","14.30.0","14.29.4","14.29.3","14.29.2","14.29.1","14.29.0","14.28.0","14.27.2","14.27.1","14.27.0","14.26.1","14.26.0","14.25.0","14.24.0","14.23.0","14.22.0","14.21.0","14.20.0","14.19.0","14.18.0","14.17.5","14.17.4","14.17.3","14.17.2","14.17.1","14.17.0","14.16.1","14.16.0","14.15.0","14.14.0","14.13.0","14.12.0","14.11.0","14.10.0","14.9.0","14.8.0","14.7.0","14.6.0","14.5.0","14.4.0","14.3.0","14.2.1","14.2.0","14.1.1","14.1.0","BASE-SuSE-Code-13_1-Branch","14.0.0","13.7.0","13.6.0","13.5.0","13.4.0","13.3.0","13.2.0","13.1.0","13.0.0","BASE-SuSE-Code-12_3-Branch","12.11.0","12.10.1","12.10.0","12.9.0","12.8.1","12.8.0","12.7.0","12.6.0","12.5.0","12.4.0","12.3.0","12.2.0","12.1.0","12.0.1","12.0.0","BASE-SuSE-Code-12_2-Branch","11.7.0","11.6.3","11.6.2","11.6.0","11.5.0","11.4.0","11.3.0","11.2.0","11.1.1","11.1.0","BASE-SuSE-Code-12_1-Branch","11.0.0","10.3.5","10.3.4","10.3.3","10.3.2","10.3.1","10.3.0","10.2.0","10.1.1","BASE-SuSE-SLE-11-SP2-Branch","9.11.0","10.1.0","10.0.0","9.10.2","9.10.1","9.10.0","9.9.2","9.9.1","9.9.0","9.8.7","9.8.6","9.8.5","9.8.4","9.8.3","9.8.2","9.8.1","9.8.0","9.7.0","9.6.0","9.5.0","9.4.0","9.3.0","9.2.0","9.1.2","9.1.1","9.1.0","9.0.3","9.0.2","9.0.1","9.0.0","BASE-SuSE-Code-11_4-Branch","8.12.1","8.12.0","8.11.0","8.10.6","8.10.5","8.5.0","8.4.0","8.3.0","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","7.7.5","7.7.4","7.7.3","7.7.2","7.6.1","7.6.0","7.5.0","7.4.0","7.3.0","7.2.0","7.1.1","7.1.0","7.0.0","6.31.3","6.31.2","6.31.1","6.31.0","6.30.5","BASE-SuSE-Code-11_2-Branch","6.30.3","6.30.1","6.29.5","6.29.4","6.29.3","6.29.2","6.29.0","6.27.1","6.27.0","6.26.0","6.25.0","6.24.3","6.24.2","6.24.0","6.23.0","6.22.3","6.22.1","6.22.0","6.21.4","6.21.3","6.21.2","6.21.1","6.21.0","6.20.0","6.19.3","6.19.2","6.19.1","6.19.0","6.18.2","6.18.1","6.18.0","6.17.2","6.17.1","6.17.0","6.16.0","6.15.0","6.14.3","6.14.1","6.14.0","6.13.3","6.13.0","6.12.0","6.11.4","6.11.2","6.11.0","6.10.1","6.10.0","6.9.3","6.9.2","6.9.1","6.9.0","6.8.3","6.8.2","6.8.1","6.8.0","6.7.0","6.6.0","BASE-SuSE-Code-11-Branch","BASE-SuSE-Linux-11_0-Branch","BASE-SuSE-Linux-10_3-Branch","BASE-SuSE-SLE-10-SP2-Branch"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44941.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"}]}