PYSEC-2026-1976

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/tqdm/PYSEC-2026-1976.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1976
Aliases
Published
2026-07-07T11:45:41.060200Z
Modified
2026-07-07T17:48:11.555580867Z
Severity
  • 3.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
tqdm CLI arguments injection attack
Details

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in tqdm>=4.66.3

Workarounds

None

References

  • https://github.com/tqdm/tqdm/releases/tag/v4.66.3
References

Affected packages

PyPI / tqdm

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.66.3

Affected versions

4.*
4.4.0
4.4.1
4.4.3
4.5.0
4.5.2
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.4
4.7.6
4.8.1
4.8.2
4.8.3
4.8.4
4.9.0
4.10.0
4.11.0
4.11.1
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.1
4.19.1.post1
4.19.2
4.19.4
4.19.5
4.19.6
4.19.7
4.19.8
4.19.9
4.20.0
4.21.0
4.22.0
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0
4.28.1
4.29.0
4.29.1
4.30.0
4.31.0
4.31.1
4.32.0
4.32.1
4.32.2
4.33.0
4.34.0
4.35.0
4.36.0
4.36.1
4.37.0
4.38.0
4.39.0
4.40.0
4.40.1
4.40.2
4.41.0
4.41.1
4.42.0
4.42.1
4.43.0
4.44.0
4.44.1
4.45.0
4.46.0
4.46.1
4.47.0
4.48.0
4.48.1
4.48.2
4.49.0
4.50.0
4.50.1
4.50.2
4.51.0
4.52.0
4.53.0
4.54.0
4.54.1
4.55.0
4.55.1
4.55.2
4.56.0
4.56.1
4.56.2
4.57.0
4.58.0
4.59.0
4.60.0
4.61.0
4.61.1
4.61.2
4.62.0
4.62.1
4.62.2
4.62.3
4.63.0
4.63.1
4.63.2
4.64.0
4.64.1
4.65.0
4.65.1
4.65.2
4.66.0
4.66.1
4.66.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/tqdm/PYSEC-2026-1976.yaml"