Use of Incorrect Operator Affecting pyzipper package, versions [,0.4.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.01% (1st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-PYZIPPER-17670566
  • published29 Jun 2026
  • disclosed14 May 2026
  • creditllavarello

Introduced: 14 May 2026

CVE-2026-44722  (opens in a new tab)
CWE-480  (opens in a new tab)

How to fix?

Upgrade pyzipper to version 0.4.0 or higher.

Overview

pyzipper is an AES encryption for zipfile.

Affected versions of this package are vulnerable to Use of Incorrect Operator via the zipfile_aes.py process. An attacker can recover the contents of small or low-entropy encrypted files by brute-forcing candidate plaintexts and comparing their CRC32 checksums to the unencrypted CRC32 value stored in the ZIP header.

CVSS Base Scores

version 4.0
version 3.1