24 matches found
PT-2026-47548
Impact In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification under console scripts or gui scripts, uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts...
CVE-2026-8643
A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to wri...
OceanLotus suspected of using PyPI to deliver ZiChatBot malware
Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI the Python Package Index. We shared this information with the public security community, and the malware was removed from the repository. We submitted...
wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking
A path traversal flaw has been discovered in the python wheel too. The unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the...
SUSE: Security Advisory (SUSE-SU-2026:20423-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Important: Red Hat Security Advisory: python3.12-wheel security update
An update for python3.12-wheel is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...
Important: Red Hat Security Advisory: python-wheel security update
An update for python-wheel is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availab...
RHEL 10 : python-wheel (RHSA-2026:2865)
The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:2865 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic da...
RHEL 9 : python3.12-wheel (RHSA-2026:2710)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:2710 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic dat...
OPENSUSE-SU-2026:20202-1 Security update for python-pip
This update for python-pip fixes the following issues: - CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599...
RLSA-2026:2090 Important: python3.12-wheel security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
RLSA-2026:1939 Important: python3.12-wheel security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
Important: python3.12-wheel security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
Important: python3.12-wheel security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
CVE-2026-1703
A flaw was found in pip. A remote attacker could exploit this path traversal vulnerability by tricking a user into installing a maliciously crafted wheel archive. This could lead to files being extracted outside the intended installation directory, potentially disclosing sensitive information...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the iswithindirectory function, during the extraction process of maliciously crafted wheel archives. An attacker can write files outside the intended installation directory by including specially crafted file pat...
GHSA-6VGW-5PG2-W6JP pip Path Traversal vulnerability
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations...
AZL-77910 CVE-2026-1703 affecting package python-virtualenv 20.36.1-1
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations...
AZL-76599 CVE-2026-1703 affecting package python3 3.12.9-9
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations...
AZL-76496 CVE-2026-1703 affecting package python-virtualenv 20.26.6-2
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations...