PYSEC-2026-1839

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyrage/PYSEC-2026-1839.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1839
Aliases
Published
2026-07-07T14:34:47.620501Z
Modified
2026-07-07T17:46:59.507577103Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
Details

pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w.

All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.

Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected.

An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.

Thanks to ⬡-49016 for reporting this issue.

References

Affected packages

PyPI / pyrage

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.3

Affected versions

1.*
1.2.1
1.2.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyrage/PYSEC-2026-1839.yaml"