CVE-2026-1703

EPSS 0.02%
Veröffentlicht 02.02.2026 15:16:30
Zuletzt bearbeitet 03.02.2026 16:44:36
Quelle cna@python.org
CVE-Watchlists
Login
Unerledigt
Login

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPython Packaging Authority

≫

Produkt pip

Default Statusunaffected

Version < 26.0

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.034

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@python.org	2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735

https://github.com/pypa/pip/pull/13777

https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

https://nvd.nist.gov/vuln/detail/CVE-2026-1703

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1703

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1703

EUVD