Source: python-pip Version: 25.3+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/pypa/pip/pull/13777 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-pip. CVE-2026-1703[0]: | When pip is installing and extracting a maliciously crafted wheel | archive, files may be extracted outside the installation directory. | The path traversal is limited to prefixes of the installation | directory, thus isn't able to inject or overwrite executable files | in typical situations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-1703 https://www.cve.org/CVERecord?id=CVE-2026-1703 [1] https://github.com/pypa/pip/pull/13777 [2] https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124 [3] https://mail.python.org/archives/list/[email protected]/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
