CVE-2026-1703

N/A Unknown
Published: February 02, 2026 Modified: February 03, 2026
View on NVD

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
Source: cna@python.org
https://github.com/pypa/pip/pull/13777
Source: cna@python.org
https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/
Source: cna@python.org

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.0%
6th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-22

Related CVEs

CVE-2026-5046 8.8
CVE-2026-5045 8.8
CVE-2026-5044 8.8
CVE-2026-33575 7.5
CVE-2026-33574 6.2