CVE-2026-44604 HIGH

CVE-2026-44604: Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command

Vendor Red Hat
Product Pen Drive Powered by Red Hat Lightspeed
Weakness CWE-78
Published May 28, 2026
Last update June 8, 2026
View on NVD All CVEs

CVSS base score

7.0/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-43657 When uploading new firmware, a shell script inside a firmware file is executed during its processing. This can be used to craft a custom firmware file with a custom script with arbitrary code, which will then be executed on the charging station. CVE-2026-33208 Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint CVE-2025-14737 Command Injection Vulnerability in TP-Link WA850RE CVE-2026-41925 WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time) CVE-2024-1367 Command Injection Vulnerability in Tenable Security Center