7.1
CVE-2026-34591
- EPSS 0.47%
- Veröffentlicht 02.04.2026 17:35:07
- Zuletzt bearbeitet 13.04.2026 18:38:38
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Python-poetry ≫ Poetry SwPlatformpython Version >= 1.4.0 < 2.3.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.47% | 0.369 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
| security-advisories@github.com | 7.1 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp
https://github.com/python-poetry/poetry/pull/10792
https://github.com/python-poetry/poetry/releases/tag/2.3.3
http://github.com/python-poetry/poetry/commit/ed59537ac3709cfbdbf95d957de801c13872991a