Python Packaging Authority Pip vulnerabilities

CVE-2026-1703 [LOW] CWE-22 CVE-2026-1703: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted ou When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

CVE-2025-8869 [MEDIUM] CVE-2025-8869: When extracting a tar archive pip may not check symbolic links point into the extraction directory i When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability i