CVE-2026-21437
Unknown Unknown - Not Provided
Untracked File Inclusion Vulnerability in eopkg Package Manager

Publication date: 2026-01-01

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21437
EUVD
EUVD-2026-0024
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getsol eopkg to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the eopkg package manager (versions prior to 4.4.0) allows a malicious package to include files that are not tracked by eopkg. These untracked files are hidden from tools like lseopkg, potentially allowing unauthorized modifications to go unnoticed. Exploiting this requires installing a package from a malicious or compromised source, with high privileges and active user interaction. The issue was fixed in version 4.4.0. [1]

Impact Analysis

The vulnerability can impact you by allowing unauthorized files to be installed and hidden on your system, potentially compromising system integrity. While confidentiality and availability impacts on the vulnerable system are low or none initially, subsequent system availability impact can be high. This means the system could be destabilized or disrupted after exploitation. Users installing only from official Solus repositories are not affected. [1]

Detection Guidance

This vulnerability involves untracked files installed by malicious packages that are not shown by eopkg tools like lseopkg. Detection can involve manually inspecting installed package files for discrepancies or using file integrity monitoring tools to detect unexpected files. However, no specific commands are provided in the available resources to detect this vulnerability directly. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade eopkg to version 4.4.0 or later where the issue is fixed. Avoid installing packages from untrusted or third-party sources. Prefer using Flatpak for third-party packages and only install native Solus packages from official repositories. [1]

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart