CVE-2026-1703Path Traversal in Packaging Authority PIP

CWE-22Path TraversalCWE-120Classic Buffer Overflow12 documents7 sources
Severity
2.0LOWNVD
EPSS
0.0%
top 93.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Python Packaging Authority PIPDbt-labs Dbt-commonPypa PIP+3 more
Timeline
PublishedFeb 2
Latest updateMar 5

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages6 packages

PyPIpypa/pip< 26.0
debiandebian/python-pip< python-pip 26.0+dfsg-1 (forky)
PyPIdbt-labs/dbt-common1.35.01.37.3+1

🔴Vulnerability Details

5
OSV
dbt-common's commonprefix() doesn't protect against path traversal2026-03-05
GHSA
dbt-common's commonprefix() doesn't protect against path traversal2026-03-05
GHSA
pip Path Traversal vulnerability2026-02-02
OSV
pip Path Traversal vulnerability2026-02-02
OSV
CVE-2026-1703: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory2026-02-02

📋Vendor Advisories

4
Red Hat
freerdp: FreeRDP: Denial of Service via missing bounds check in smartcard redirection2026-02-25
Microsoft
Limited path traversal when installing wheel archives2026-02-10
Red Hat
pip: pip: Information disclosure via path traversal when installing crafted wheel archives2026-02-02
Debian
CVE-2026-1703: python-pip - When pip is installing and extracting a maliciously crafted wheel archive, files...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-1703 Impact, Exploitability, and Mitigation Steps | Wiz