Python-Poetry Poetry vulnerabilities

CVE-2026-41140 [LOW] CWE-22 CVE-2026-41140: Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/u Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.

CVE-2026-34591 [HIGH] CWE-22 CVE-2026-34591: Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted whe Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a

CVE-2022-36070 [HIGH] CWE-426 CVE-2022-36070: Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, P Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unli

CVE-2022-36069 [HIGH] CWE-94 CVE-2022-36069: Poetry is a dependency manager for Python. When handling dependencies that come from a Git repositor Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an arr

CVE-2022-26184 [CRITICAL] CWE-426 CVE-2022-26184: Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the applicat Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.