ByteOS Network

NVD Vulnerability Details :

CVE-2026-1703

Awaiting Analysis

Source-cna@python.org

Published At-02 Feb, 2026 | 15:16

Updated At-03 Feb, 2026 | 16:44

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	2.0	LOW	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 2.0

Base severity: LOW

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-22	Secondary	cna@python.org

CWE ID: CWE-22

Type: Secondary

Source: cna@python.org

References

Hyperlink	Source	Resource
https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735	cna@python.org	N/A
https://github.com/pypa/pip/pull/13777	cna@python.org	N/A
https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/	cna@python.org	N/A