Skip to main content

Pip

7 CVEs product

Monthly

CVE-2026-8643 PyPI MEDIUM PATCH This Month

Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.

Path Traversal Pip
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2023-5752 PyPI LOW PATCH Monitor

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Pip
NVD GitHub
CVSS 3.1
3.3
EPSS
0.5%
CVE-2021-3572 PyPI MEDIUM PATCH This Month

A flaw was found in python-pip in the way it handled Unicode separators in git references. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Pip Agile Plm Communications Cloud Native Core Network Function Cloud Native Environment +1
NVD
CVSS 3.1
5.7
EPSS
1.7%
CVE-2018-20225 HIGH This Week

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pip
NVD VulDB
CVSS 3.1
7.8
EPSS
1.7%
CVE-2014-8991 PyPI LOW PATCH Monitor

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.

Denial Of Service Pip Solaris
NVD GitHub
CVSS 2.0
2.1
EPSS
0.1%
CVE-2013-1888 PyPI LOW PATCH Monitor

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.

Information Disclosure Pip Fedora
NVD GitHub
CVSS 2.0
2.1
EPSS
0.1%
CVE-2013-1629 PyPI MEDIUM POC PATCH THREAT This Month

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 39.9%.

RCE Pip
NVD GitHub
CVSS 2.0
6.8
EPSS
39.9%
Threat
4.1
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.

Path Traversal Pip
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Pip
NVD GitHub
EPSS 2% CVSS 5.7
MEDIUM PATCH This Month

A flaw was found in python-pip in the way it handled Unicode separators in git references. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Pip +3
NVD
EPSS 2% CVSS 7.8
HIGH This Week

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pip
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.

Denial Of Service Pip Solaris
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.

Information Disclosure Pip Fedora
NVD GitHub
EPSS 40% 4.1 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 39.9%.

RCE Pip
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy