Limited path traversal when installing wheel archives_CVE-2026-1703

2 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Basic Information

ID CVE-2026-1703

Source PSF

Published Feb 2, 2026 at 14:43

Modified Feb 2, 2026 at 14:45

Affected Product

Vendor Python Packaging Authority

Product pip

Affected Versions Python Packaging Authority pip 0

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.",
    "published": "2026-02-02T14:43:02.919Z",
    "modified": "2026-02-02T14:45:44.871Z",
    "type": "cve",
    "title": "Limited path traversal when installing wheel archives",
    "source": "PSF",
    "references": "https://github.com/pypa/pip/pull/13777\nhttps://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735\nhttps://mail.python.org/archives/list/[email protected]/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/",
    "id": "CVE-2026-1703",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "Python Packaging Authority pip 0",
    "sourceHref": "",
    "cvss": {
        "score": 2,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pip",
    "version": "0",
    "vendor": "Python Packaging Authority",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}