Python CVE-2026-22702
MEDIUM
GHSA-597g-3phw-6986
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 58 pypi packages depend on virtualenv (34 direct, 24 indirect)
Ecosystem-wide dependent count for version 20.36.1.
DescriptionNVD
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
AnalysisAI
Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today