CVE-2026-1703
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-1703
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-1703.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 26.0+dfsg-1 |
| debian | sid | fixed | 26.0+dfsg-1 |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | pip | <26.0 | 26.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-1703
- https://github.com/pypa/pip/pull/13777
- https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
- https://github.com/pypa/pip
- https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ
- https://www.suse.com/security/cve/CVE-2026-1703.html
- https://security-tracker.debian.org/tracker/CVE-2026-1703
Verify integrity in audit chain (admin only). AS-IS.