CVE-2026-3479 — Path Traversal in Software Foundation Cpython
Severity
0.0N/ANVD
EPSS
0.0%
top 97.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 18
Latest updateMar 19
Description
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.
pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
CVSS vector
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
4📋Vendor Advisories
3🕵️Threat Intelligence
1💬Community
12Bugzilla▶
CVE-2026-3479 python3.14: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]↗2026-03-19
Bugzilla▶
CVE-2026-3479 python3.10: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]↗2026-03-19
Bugzilla▶
CVE-2026-3479 python3.13: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]↗2026-03-19
Bugzilla▶
CVE-2026-3479 asahi-installer: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]↗2026-03-19
Bugzilla▶
CVE-2026-3479 mingw-python3: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]↗2026-03-19