What is CVE-2026-22702?

CVE-2026-22702 is a medium-severity vulnerability in Pypa Virtualenv, classified under Improper Link Resolution Before File Access. CVSS score: 4.5/10. Published 2026-01-10.

How severe is CVE-2026-22702?

Medium severity. CVSS v3 base score is 4.5 out of 10.

Vulnerability in Pypa Virtualenv

CVE-2026-22702

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation…

EPSS: 0.000 (3.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.5 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L.

Affected products

Pypa Virtualenv — versions < 20.36.1

Weakness classification (CWE)

References

https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 (x_refsource_CONFIRM)
https://github.com/pypa/virtualenv/pull/3013 (x_refsource_MISC)
https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-22702?: CVE-2026-22702 is a medium-severity vulnerability in Pypa Virtualenv, classified under Improper Link Resolution Before File Access. CVSS score: 4.5/10. Published 2026-01-10.
How severe is CVE-2026-22702?: Medium severity. CVSS v3 base score is 4.5 out of 10.