PYSEC-2026-783

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aptdaemon/PYSEC-2026-783.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-783
Aliases
Published
2026-07-06T08:03:28.812075Z
Modified
2026-07-07T11:45:42.953970163Z
Severity
  • 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
aptdaemon Information Disclosure via Improper Input Validation in Transaction class
Details

There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.

References

Affected packages

PyPI / aptdaemon

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1

Affected versions

Other
trunk
0.*
0.3X
0.40
1.*
1.0
1.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/aptdaemon/PYSEC-2026-783.yaml"