What is CVE-2026-24049?

CVE-2026-24049 is a high-severity vulnerability in Pypa Wheel, classified under Path Traversal. CVSS score: 7.1/10. Published 2026-01-22.

How severe is CVE-2026-24049?

High severity. CVSS v3 base score is 7.1 out of 10.

Is CVE-2026-24049 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Pypa Wheel

CVE-2026-24049

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after ext…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (3.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H.

Affected products

Pypa Wheel — versions >= 0.40.0, < 0.46.2

Weakness classification (CWE)

Public proof-of-concept exploits

kriskimmerle/wheelaudit

References

https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx (x_refsource_CONFIRM)
https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef (x_refsource_MISC)
https://github.com/pypa/wheel/releases/tag/0.46.2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-24049?: CVE-2026-24049 is a high-severity vulnerability in Pypa Wheel, classified under Path Traversal. CVSS score: 7.1/10. Published 2026-01-22.
How severe is CVE-2026-24049?: High severity. CVSS v3 base score is 7.1 out of 10.
Is CVE-2026-24049 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.