CVE-2022-36069

Poetry (Python) is affected by CVE-2022-36069 where dependency handling from Git repositories can trigger arbitrary code execution if a repository URL or input starts with a dash, causing certain commands (e.g., git clone) to be parsed as options rather than positional arguments. The root cause i...

CVE-2022-26184

CVE-2022-26184 affects Poetry v1.1.9 and earlier. The issue is an untrusted search path that causes Poetry commands to behave unexpectedly when run in directories containing malicious content on Windows. The incident is documented with high CVSS impacts (confidentiality, integrity, availability) ...

CVE-2022-36070

CVE-2022-36070 affects Poetry (Python dependency manager). When handling Git-based dependencies, Poetry runs commands by executable name (not absolute path), enabling Windows’ path resolution to execute untrusted binaries in the current directory. This can lead to Arbitrary Code Execution with lo...

CVE-2026-34591

CVE-2026-34591 (Poetry) is a wheel path traversal vulnerability in Poetry for Python. From version 1.4.0 up to 2.3.2 (patched in 2.3.3), a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, enabling arbitrary file writes with the Poetry process’s privileges...