cbcvebase.
CVE-2026-1703
published 2026-02-02

CVE-2026-1703: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is…

PriorityP416low2CVSS 4.0
AVNACLATPPRLUIAVCNVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.39%
30.8th percentile
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Affected

7 ranges
VendorProductVersion rangeFixed in
dbt-labsdbt-common>= 0 < 1.34.21.34.2
dbt-labsdbt-common>= 1.35.0 < 1.37.31.37.3
debianpython-pip< python-pip 26.0+dfsg-1 (forky)python-pip 26.0+dfsg-1 (forky)
msrcazl3_python-virtualenv_20.36.1-1_on_azure_linux_3.0
msrcazl3_python-virtualenv_20.36.1-2_on_azure_linux_3.0
pypapip>= 0 < 26.026.0
python_packaging_authoritypip< 26.026.0

CVSS provenance

nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa2.0LOW
osv2.0LOW
vendor_redhat5.0MEDIUM
vendor_debian2.0LOW
vendor_msrc2.0LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.