pip Path Traversal vulnerability

GHSA-6vgw-5pg2-w6jp · CVE-2026-1703

Published Feb 2, 2026 · Modified Mar 24, 2026

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-1703
WEB https://github.com/pypa/pip/pull/13777
WEB https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
PACKAGE https://github.com/pypa/pip
WEB https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes