CVE-2026-1703

EUVD-2026-5106
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Debian logo
Debian Releases
Debian Product
Codename
python-pip
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
26.1.2+dfsg-1
fixed
sid
26.1.2+dfsg-1
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libpython2_7-1_0
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
libpython2_7-1_0-32bit
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-32bit
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-base
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-base-32bit
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-curses
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-demo
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-devel
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-doc
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-doc-pdf
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-gdbm
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-idle
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-tk
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
python-xml
suse enterprise server 12 SP3
2.7.18-28.157.1
fixed
suse enterprise server 12 SP5
2.7.18-33.79.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
python-pip-wheel
Amazon Linux 2
0:20.2.2-1.amzn2.0.16
fixed
python2-pip
Amazon Linux 2
0:20.2.2-1.amzn2.0.16
fixed
python3-pip
Amazon Linux 2
0:20.2.2-1.amzn2.0.16
fixed
Amazon Linux 2023
0:21.3.1-2.amzn2023.0.17
fixed
python3-pip-wheel
Amazon Linux 2023
0:21.3.1-2.amzn2023.0.17
fixed
python3.11-pip
Amazon Linux 2023
0:22.3.1-2.amzn2023.0.11
fixed
python3.11-pip-wheel
Amazon Linux 2023
0:22.3.1-2.amzn2023.0.11
fixed
python3.12-pip
Amazon Linux 2023
0:23.2.1-4.amzn2023.0.8
fixed
python3.12-pip-wheel
Amazon Linux 2023
0:23.2.1-4.amzn2023.0.8
fixed
python3.13-pip
Amazon Linux 2023
0:24.2-259.amzn2023.0.4
fixed
python3.13-pip-wheel
Amazon Linux 2023
0:24.2-259.amzn2023.0.4
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
python-pip
Azure Linux 3.0
0:24.2-6.azl3
fixed
python-virtualenv
Azure Linux 3.0
0:20.36.1-2.azl3
fixed
CBL-Mariner 2.0
0:20.26.6-3.cm2
fixed