CNNVD-202602-100 Information

CNNVD ID

CNNVD-202602-100

Related CVE

CVE-2026-1703

• CNNVD Published: 2026-02-02

Description (Chinese)

pip是Python Packaging Authority开源的一个Python包安装程序。 pip存在安全漏洞，该漏洞源于安装恶意制作的wheel存档时可能发生路径遍历，可能导致文件被提取到安装目录之外。

Description (English)

The pip is a Python package installation program for the Python Packaging Association Open Source. There is a security loophole in the pip, which stems from the possibility that the installation of a maliciously created wheel archive may result in a routing that could lead to documents being extracted outside the installation directory.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

Python Packaging Authority

Published

2026-02-02

Last Modified

2026-02-24

References

https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 https://github.com/pypa/pip/pull/13777 https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

Patch

https://pypi.org/project/pip/