CVE-2026-1703

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-1703
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1703.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-1703
Aliases
Downstream
Related
Published
2026-02-02T15:16:30.510Z
Modified
2026-04-10T05:38:54.079741Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

References

Affected packages

Git / github.com/pypa/pip

Affected ranges

Type
GIT
Repo
https://github.com/pypa/pip
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8e227a9be4faa9594e05d02ca05a413a2a4e7735

Affected versions

0.*
0.3
0.6
0.7
0.7.1
0.8
0.8.2
0.8.3
1.*
1.0
1.2
1.4rc1
1.4rc2
10.*
10.0.0
10.0.1
18.*
18.0
18.1
19.*
19.0
19.0.2
19.1.1
20.*
20.0.2
21.*
21.0
21.3
6.*
6.0
9.*
9.0.0
9.0.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1703.json"