CVE-2026-5271

Exploit

EPSS 0.02%
Veröffentlicht 01.04.2026 13:48:07
Zuletzt bearbeitet 07.04.2026 19:43:28
Quelle cna@python.org
CVE-Watchlists
Login
Unerledigt
Login

Possible to hijack modules in current working directory

pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)
 from an attacker-controlled directory, a malicious module in that 
directory can be imported and executed instead of the intended package.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python ≫ Pymanager Version26.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.056

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cna@python.org	5.6	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6

Vendor Advisory

Exploit

http://www.openwall.com/lists/oss-security/2026/04/01/5

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-5271

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5271

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5271

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-5271