CVE-2026-44604

ADVISORY - nist

Summary

A command injection vulnerability was discovered in the rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

EPSS Score⁠: 0.0002 (0.060)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-78⁠

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADVISORY - redhat

CWE-78⁠

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impacted images

Advisories

NIST

CREATED

2 days ago

UPDATED

1 day ago

ADVISORY IDCVE-2026-44604⁠

EXPLOITABILITY SCORE

1

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

7high

Debian

CREATED

5 hours ago

UPDATED

43 minutes ago

ADVISORY IDCVE-2026-44604⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

7 hours ago

UPDATED

7 hours ago

ADVISORY IDCVE-2026-44604⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

2 days ago

UPDATED

20 hours ago

ADVISORY IDCVE-2026-44604⁠

EXPLOITABILITY SCORE

1.0

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

7medium