Bug 2436000 (CVE-2026-1703) - CVE-2026-1703 pip: pip: Information disclosure via path traversal when installing crafted wheel archives
Summary: CVE-2026-1703 pip: pip: Information disclosure via path traversal when instal...
Keywords:
Status: NEW
Alias: CVE-2026-1703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-02 16:01 UTC by OSIDB Bzimport
Modified: 2026-04-30 04:17 UTC (History)
90 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-02 16:01:19 UTC 
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Note You need to log in before you can comment on or make changes to this bug.