CVE-2026-44942 | A path traversal in handling the "path" component of .repo f… | CVSS 6.5 MEDIUM

Description

A path traversal in handling the "path" component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content.

Metadata

CVE ID: CVE-2026-44942
State: PUBLISHED
Assigner: suse
Reserved: 2026-05-08 12:29 UTC
Published: 2026-06-18 09:57 UTC
Last updated: 2026-06-18 12:09 UTC
Primary CWE: CWE-24
CWE-24 Path traversal: '../filedir'
Vendor / Product: SUSE / libzypp
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
SUSE	libzypp	—	17.0.0 < 17.38.13, 0 < 16.22.19

Weakness (CWE)

CWE	Source	Description
CWE-24	cna	CWE-24 Path traversal: '../filedir'

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (2)