Path Traversal in Python Packaging Authority Pip

CVE-2026-1703

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or ove…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (9.1th percentile) — read the EPSS interpretation.

Affected products

Python Packaging Authority Pip — versions 0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

github.com/pypa/pip/pull/13777 (patch)
github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 (patch)
mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2… (vendor-advisory)