Bug 2461604 (CVE-2026-41140)
| Summary: | CVE-2026-41140 poetry: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anthomas, dschmidt, ehelms, erezende, ggainey, jdobes, jkoehler, jlanda, juwatts, kgaikwad, kshier, lphiri, mhulan, nmoumoul, orabin, osousa, pcreech, rchan, simaishi, smallamp, smcdonal, stcannon, teagle, tmalecek, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Poetry, a dependency manager for Python. This vulnerability allows a remote attacker to perform a path traversal attack. By crafting a malicious software package, the `extractall()` function in Poetry can be tricked into writing files to unintended locations on the system. This could lead to the creation or overwrite of critical system files, potentially compromising the integrity of the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2461803 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-24 18:01:45 UTC
|