{"id":"CVE-2026-44942","summary":"libzypp .repo files can have an optional path which can lead to path traversal attacks","details":"A path traversal in handling the \"path\" component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content.","modified":"2026-07-08T08:05:16.265832027Z","published":"2026-06-18T09:57:12.821Z","related":["SUSE-SU-2026:22064-1","SUSE-SU-2026:22073-1","SUSE-SU-2026:22172-1","SUSE-SU-2026:22221-1","SUSE-SU-2026:2531-1","SUSE-SU-2026:2575-1","SUSE-SU-2026:2590-1","SUSE-SU-2026:2628-1","SUSE-SU-2026:2674-1","openSUSE-SU-2026:10984-1","openSUSE-SU-2026:21096-1"],"database_specific":{"cna_assigner":"suse","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44942.json","cwe_ids":["CWE-24"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44942.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44942"},{"type":"ADVISORY","url":"https://www.suse.com/security/cve/CVE-2026-44942.html"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1267874"},{"type":"PACKAGE","url":"https://github.com/opensuse/libzypp"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensuse/libzypp","events":[{"introduced":"4275d93f6fa1b7a48f61c954cb2e5051ee5202b1"},{"fixed":"bb4e770aaab75ed07b1ac0b56a659ac974652944"},{"introduced":"0"},{"fixed":"6a8c7731f94e631ce86a16fe70f8f6500ec949a3"}],"database_specific":{"extracted_events":[{"introduced":"17.0.0"},{"fixed":"17.38.13"},{"introduced":"0"},{"fixed":"16.22.19"}],"source":"AFFECTED_FIELD"}}],"versions":["16.22.18","17.38.12","17.38.11","16.22.17","17.38.10","16.22.16","17.38.9","17.38.8","17.38.7","17.38.6","17.38.5","17.38.4","17.38.3","17.38.2","17.38.1","17.38.0","17.37.18","17.37.17","17.37.16","17.37.15","17.37.14","17.37.13","17.37.12","17.37.11","17.37.10","17.37.9","17.37.8","17.37.7","17.37.6","17.37.5","17.37.4","17.37.3","17.37.2","17.37.1","17.37.0","17.36.7","17.36.6","17.36.5","16.22.15","17.36.4","17.36.3","17.36.2","17.36.1","17.36.0","17.35.19","17.35.18","17.35.17","17.35.16","16.22.14","17.35.15","16.22.13","17.35.14","17.35.13","17.35.12","17.35.11","17.35.10","17.35.9","17.35.8","17.35.7","17.35.6","17.35.5","17.35.4","17.35.3","17.35.2","17.35.1","17.35.0","17.34.2","16.22.12","17.34.1","17.34.0","17.33.4","17.33.3","17.33.2","17.33.1","17.33.0","17.32.6","17.32.5","17.32.4","17.32.3","17.32.2","17.32.1","17.32.0","17.31.32","17.31.31","17.31.30","16.22.11","17.31.29","17.31.28","17.31.27","17.31.26","16.22.10","17.31.25","17.31.24","17.31.23","16.22.9","17.31.22","17.31.21","17.31.20","17.31.19","16.22.8","17.31.18","17.31.17","17.31.16","17.31.15","17.31.14","17.31.13","17.31.12","16.22.7","17.31.11","16.22.6","17.31.10","17.31.9","16.22.5","17.31.8","17.31.7","17.31.6","17.31.5","17.31.4","17.31.3","17.31.2","17.31.1","17.31.0","17.30.3","17.30.2","17.30.1","17.30.0","16.22.4","17.29.7","17.29.6","17.29.4","17.29.5","17.29.3","16.22.3","17.29.2","17.29.1","17.29.0","17.28.8","17.28.7","17.28.6","16.22.2","17.28.5","17.28.4","16.22.1","17.28.3","17.28.2","17.28.1","17.28.0","16.22.0","17.27.0","17.26.0","17.25.10","17.25.9","16.21.4","17.25.6","17.25.5","17.25.4","17.25.3","16.21.3","17.25.2","17.25.1","17.25.0","17.24.2","17.24.1","17.24.0","17.23.8","17.23.7","17.23.6","17.23.5","17.23.4","17.23.3","17.23.2","17.23.1","17.23.0","17.22.1","17.22.0","17.21.0","17.20.0","17.19.0","16.21.2","17.18.1","17.18.0","17.17.0","17.16.0","16.21.1","17.15.0","16.21.0","17.14.1","17.14.0","BASE-SuSE-RES-8-Branch","16.20.2","17.13.0","16.20.1","16.20.0","17.12.0","17.11.4","17.11.3","17.11.2","17.11.1","16.19.1","17.11.0","17.10.3","17.10.2","17.10.1","17.10.0","17.9.0","17.8.1","17.8.0","16.19.0","16.18.0","16.17.21","17.7.2","17.7.1","17.7.0","16.17.20","17.6.4","16.17.19","17.6.3","17.6.2","17.6.1","16.17.18","17.6.0","16.17.17","17.5.2","17.5.1","16.17.16","16.17.15","16.17.14","17.5.0","16.17.13","17.4.0","17.3.1","16.17.12","17.3.0","16.17.11","17.2.2","17.2.1","17.2.0","16.17.10","17.1.3","17.1.2","16.17.9","17.1.1","16.17.8","17.1.0","16.17.7","16.17.6","17.0.5","16.17.5","17.0.4","17.0.3","17.0.2","16.17.4","17.0.1","17.0.0","BASE-SuSE-SLE-12-SP2-Branch","16.17.3","16.17.2","16.17.1","16.17.0","16.16.0","16.15.6","16.15.5","16.15.4","16.15.3","16.15.2","16.15.1","16.15.0","16.14.0","16.13.0","16.12.0","16.11.0","16.10.0","16.9.0","16.8.0","16.7.0","16.6.1","16.6.0","16.5.2","16.5.1","16.5.0","16.4.3","16.4.2","16.4.1","16.4.0","16.3.2","16.3.1","16.3.0","16.2.25","16.2.4","16.2.3","16.2.2","16.2.1","16.2.0","16.1.3","16.1.2","16.1.0","16.0.5","16.0.3","16.0.0","BASE-SuSE-SLE-12-SP1-Branch","15.22.0","15.21.7","15.21.6","15.21.5","15.21.4","15.21.3","15.21.2","15.21.1","15.21.0","15.20.0","15.19.7","15.19.6","15.19.5","15.19.4","15.19.3","15.19.2","15.19.1","15.19.0","15.18.0","15.17.2","15.17.1","15.17.0","15.16.2","15.16.1","15.16.0","15.15.0","15.14.0","15.13.0","15.12.0","15.11.0","15.10.0","15.9.0","15.8.0","15.7.0","15.6.0","15.5.0","15.4.1","15.4.0","15.3.0","15.2.0","15.1.3","15.1.2","15.1.1","15.1.0","15.0.0","BASE-SuSE-SLE-12-Branch","14.38.1","14.38.0","14.37.1","14.37.0","14.36.0","14.35.0","14.34.0","14.33.0","14.32.2","14.32.1","14.32.0","14.31.0","14.30.2","14.30.1","14.30.0","14.29.4","14.29.3","14.29.2","14.29.1","14.29.0","14.28.0","14.27.2","14.27.1","14.27.0","14.26.1","14.26.0","14.25.0","14.24.0","14.23.0","14.22.0","14.21.0","14.20.0","14.19.0","14.18.0","14.17.5","14.17.4","14.17.3","14.17.2","14.17.1","14.17.0","14.16.1","14.16.0","14.15.0","14.14.0","14.13.0","14.12.0","14.11.0","14.10.0","14.9.0","14.8.0","14.7.0","14.6.0","14.5.0","14.4.0","14.3.0","14.2.1","14.2.0","14.1.1","14.1.0","BASE-SuSE-Code-13_1-Branch","14.0.0","13.7.0","13.6.0","13.5.0","13.4.0","13.3.0","13.2.0","13.1.0","13.0.0","BASE-SuSE-Code-12_3-Branch","12.11.0","12.10.1","12.10.0","12.9.0","12.8.1","12.8.0","12.7.0","12.6.0","12.5.0","12.4.0","12.3.0","12.2.0","12.1.0","12.0.1","12.0.0","BASE-SuSE-Code-12_2-Branch","11.7.0","11.6.3","11.6.2","11.6.0","11.5.0","11.4.0","11.3.0","11.2.0","11.1.1","11.1.0","BASE-SuSE-Code-12_1-Branch","11.0.0","10.3.5","10.3.4","10.3.3","10.3.2","10.3.1","10.3.0","10.2.0","10.1.1","BASE-SuSE-SLE-11-SP2-Branch","9.11.0","10.1.0","10.0.0","9.10.2","9.10.1","9.10.0","9.9.2","9.9.1","9.9.0","9.8.7","9.8.6","9.8.5","9.8.4","9.8.3","9.8.2","9.8.1","9.8.0","9.7.0","9.6.0","9.5.0","9.4.0","9.3.0","9.2.0","9.1.2","9.1.1","9.1.0","9.0.3","9.0.2","9.0.1","9.0.0","BASE-SuSE-Code-11_4-Branch","8.12.1","8.12.0","8.11.0","8.10.6","8.10.5","8.5.0","8.4.0","8.3.0","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","7.7.5","7.7.4","7.7.3","7.7.2","7.6.1","7.6.0","7.5.0","7.4.0","7.3.0","7.2.0","7.1.1","7.1.0","7.0.0","6.31.3","6.31.2","6.31.1","6.31.0","6.30.5","BASE-SuSE-Code-11_2-Branch","6.30.3","6.30.1","6.29.5","6.29.4","6.29.3","6.29.2","6.29.0","6.27.1","6.27.0","6.26.0","6.25.0","6.24.3","6.24.2","6.24.0","6.23.0","6.22.3","6.22.1","6.22.0","6.21.4","6.21.3","6.21.2","6.21.1","6.21.0","6.20.0","6.19.3","6.19.2","6.19.1","6.19.0","6.18.2","6.18.1","6.18.0","6.17.2","6.17.1","6.17.0","6.16.0","6.15.0","6.14.3","6.14.1","6.14.0","6.13.3","6.13.0","6.12.0","6.11.4","6.11.2","6.11.0","6.10.1","6.10.0","6.9.3","6.9.2","6.9.1","6.9.0","6.8.3","6.8.2","6.8.1","6.8.0","6.7.0","6.6.0","BASE-SuSE-Code-11-Branch","BASE-SuSE-Linux-11_0-Branch","BASE-SuSE-Linux-10_3-Branch","BASE-SuSE-SLE-10-SP2-Branch"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44942.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}