Skip to main content

CVE-2026-1703

Path Traversal (CWE-22)
2026-02-02 cna@python.org GHSA-6vgw-5pg2-w6jp

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:01 vuln.today
CVE Published
Feb 02, 2026 - 15:16 nvd
N/A

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on pip (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 26.0.

DescriptionCVE.org

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Analysis

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Technical ContextAI

Classified as CWE-22 (Path Traversal). When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Affected ProductsAI

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path travers

RemediationAI

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists.

Share

CVE-2026-1703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy