CVE-2026-21437
Untracked File Inclusion Vulnerability in eopkg Package Manager
Publication date: 2026-01-01
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getsol | eopkg | to 4.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-353 | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the eopkg package manager (versions prior to 4.4.0) allows a malicious package to include files that are not tracked by eopkg. These untracked files are hidden from tools like lseopkg, potentially allowing unauthorized modifications to go unnoticed. Exploiting this requires installing a package from a malicious or compromised source, with high privileges and active user interaction. The issue was fixed in version 4.4.0. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized files to be installed and hidden on your system, potentially compromising system integrity. While confidentiality and availability impacts on the vulnerable system are low or none initially, subsequent system availability impact can be high. This means the system could be destabilized or disrupted after exploitation. Users installing only from official Solus repositories are not affected. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves untracked files installed by malicious packages that are not shown by eopkg tools like lseopkg. Detection can involve manually inspecting installed package files for discrepancies or using file integrity monitoring tools to detect unexpected files. However, no specific commands are provided in the available resources to detect this vulnerability directly. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade eopkg to version 4.4.0 or later where the issue is fixed. Avoid installing packages from untrusted or third-party sources. Prefer using Flatpak for third-party packages and only install native Solus packages from official repositories. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.