Pypa

Pip

11 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.6

CVE-2026-3219

  • EPSS 0.02%
  • Veröffentlicht 20.04.2026 14:55:38
  • Zuletzt bearbeitet 20.04.2026 21:16:36

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename...

2

CVE-2026-1703

  • EPSS 0.03%
  • Veröffentlicht 02.02.2026 15:16:30
  • Zuletzt bearbeitet 15.04.2026 00:35:42

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite exec...

5.9

CVE-2025-8869

  • EPSS 0.02%
  • Veröffentlicht 24.09.2025 15:15:41
  • Zuletzt bearbeitet 15.04.2026 00:35:42

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilit...

3.3

CVE-2023-5752

  • EPSS 0.08%
  • Veröffentlicht 25.10.2023 18:17:44
  • Zuletzt bearbeitet 03.11.2025 18:15:41

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the...

5.7

CVE-2021-3572

  • EPSS 0.24%
  • Veröffentlicht 10.11.2021 18:15:09
  • Zuletzt bearbeitet 21.11.2024 06:21:52

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrit...

7.5

CVE-2019-20916

Exploit
  • EPSS 0.62%
  • Veröffentlicht 04.09.2020 20:15:11
  • Zuletzt bearbeitet 21.11.2024 04:39:40

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occ...

7.8

CVE-2018-20225

  • EPSS 3.73%
  • Veröffentlicht 08.05.2020 18:15:10
  • Zuletzt bearbeitet 15.04.2026 21:17:00

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and ...

5.9

CVE-2013-5123

  • EPSS 12.38%
  • Veröffentlicht 05.11.2019 22:15:10
  • Zuletzt bearbeitet 21.11.2024 01:57:03

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

2.1

CVE-2014-8991

  • EPSS 0.07%
  • Veröffentlicht 24.11.2014 15:59:15
  • Zuletzt bearbeitet 06.05.2026 22:30:45

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

2.1

CVE-2013-1888

  • EPSS 0.09%
  • Veröffentlicht 17.08.2013 06:54:57
  • Zuletzt bearbeitet 29.04.2026 01:13:23

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.