ROS-20260526-73-0022

Vulnerability in poetry related to incorrect path name restriction to a restricted directory. Exploitation of the vulnerability may allow a remote intruder to gain unauthorized access to protected information...

SUSE CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

5gasp-cli (>=0.1.0 <=0.4.0), aia-read-svc (>=0.5.1 <=0.6.2) +414 more potentially affected by CVE-2026-41140 via poetry (>=0.12.17 <=2.3.3)

poetry PYPI version =0.12.17, =0.1.0, =0.5.1, =2023.2.21, =0.2.0rc3, =0.1.0, =0.1.1, =0.6.0.68, =0.0.1, =0.1.0rc7, =0.0.2, =0.0.3 and more Source cves: CVE-2026-41140 Source advisory: OSV:GHSA-73H3-MF4W-8647...

aima (=2023.2.4), appcensus-dynamic-repos (>=2.0.113 <=2.1.117) +27 more potentially affected by CVE-2026-41140 via poetry (>=2.0.1 <=2.3.3)

poetry PYPI version =2.0.1, =2.0.113, =0.0.2, =1.0.7, =0.1.1, =1.5.12, =0.2.0, =0.4.3, =1.5.4, =0.1.2, =0.1.6 and more Source cves: CVE-2026-41140 Source advisory: SNYK:PYTHON-POETRY-16122096...

Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 ...

PT-2026-34527

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0...

PT-2026-34538

Name of the Vulnerable Software and Affected Versions Poetry versions prior to 2.3.4 Description The extractall function in src/poetry/utils/helpers.py extracts sdist tarballs without path traversal protection on Python versions where tarfile.data filter is unavailable. This occurs specifically o...

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

...

Poetry Has Wheel Path Traversal Which Can Lead To Arbitrary File Write

Summary A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. Impact Arbitrary file write path traversal from untrusted wheel content. Impacts users/CI/CD systems installing malicious o...

SUSE CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

A flaw was found in Poetry, a dependency manager for Python. A remote attacker can exploit this vulnerability by providing a specially crafted package wheel that contains directory traversal sequences. When Poetry installs this malicious package, it writes files to arbitrary locations on the syst...

DEBIAN-CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591 Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Summary A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. Impact Arbitrary file write path traversal from untrusted wheel content. Impacts users/CI/CD systems installing malicious o...

5gasp-cli (>=0.1.0 <=0.4.0), aia-read-svc (>=0.5.1 <=0.6.2) +394 more potentially affected by CVE-2026-34591 via poetry (>=1.4.0 <=2.3.2)

poetry PYPI version =1.4.0, =0.1.0, =0.5.1, =2023.2.21, =0.2.0rc3, =0.1.0, =0.1.1, =0.6.0.68, =0.0.1, =0.1.0rc7, =0.0.2, =0.0.3 and more Source cves: CVE-2026-34591 Source advisory: SNYK:PYTHON-POETRY-15873752...

EUVD-2025-21313

Malicious code in bioql PyPI...

EUVD-2022-0203

Malicious code in bioql PyPI...

CVE-2025-7579 chinese-poetry server.js redos

A vulnerability was found in chinese-poetry 0.1. It has been rated as problematic. This issue affects some unknown processing of the file rank/server.js. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to th...

depend (>=0.2.0 <=0.3.0), ekrhizoc (>=0.0.5 <=0.1.0) +13 more potentially affected by CVE-2022-36069 via poetry (>=0.12.17 <=1.1.5)

poetry PYPI version =0.12.17, =0.2.0, =0.0.5, =2020.1.0, =0.1.0, =0.1.3, =5.2.0, =0.0.5, =0.1.0, =0.4.0, =0.1.0, =0.3.0, =0.1.3, =0.0.1, =0.1.4 Source cves: CVE-2022-36069 Source advisory: OSV:PYSEC-2022-266...