Path Traversal in Python-poetry Poetry

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Po…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (4.1th percentile) — read the EPSS interpretation.

Affected products

Python-poetry Poetry — versions >= 1.4.0, < 2.3.3

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp (x_refsource_CONFIRM)
https://github.com/python-poetry/poetry/pull/10792 (x_refsource_MISC)
https://github.com/python-poetry/poetry/releases/tag/2.3.3 (x_refsource_MISC)
http://github.com/python-poetry/poetry/commit/ed59537ac3709cfbdbf95d957de801c13872991a (x_refsource_MISC)