VIR Vulnerability Intelligence Relay

Package impact

python PyPI / pip

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2013-1629 medium 6.8 13y ago pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code v… debianpython
CVE-2026-6357 medium 5.5 1mo ago pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere susedebianpython
CVE-2026-3219 medium 5.5 1mo ago pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files susedebianpython
CVE-2021-3572 medium 5.5 5y ago Moderate: python38:3.8 and python38-devel:3.8 security update archsuserockylinuxdebian+1
CVE-2019-20916 medium 5.5 5y ago Moderate: python27:2.7 security update suserockylinuxdebianpython
CVE-2014-8991 low 2.1 4y ago pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. susedebianpython
CVE-2013-1888 low 2.1 4y ago pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. fedoradebianpython
CVE-2013-5123 unknown 1.0 4y ago The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. susedebianpython
CVE-2026-1703 unknown 4mo ago When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation dir… susedebianpython
CVE-2025-8869 unknown 8mo ago When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for th… susedebianpython
CVE-2023-5752 unknown 3y ago When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… susedebianpython