There is a MEDIUM severity vulnerability affecting the Python install
manager.
Script alias entrypoints (e.g. pip.exe) generated by version 26.0 of the
Python install manager were very likely to have an empty search path,
leading to modules in the current working directory being able to
override the intended module and execute code as the user.
Version 26.1 is fixed. Versions prior to 26.0 are not impacted.
After installing the updated version, run "py install --refresh" to
regenerate existing aliases.
Please see the linked CVE ID for the latest information on
affected versions:
* https://www.cve.org/CVERecord?id=CVE-2026-5271
* https://github.com/python/pymanager/pull/301
_______________________________________________
Security-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/security-announce.python.org
Member address: [email protected]
