Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-1703 (GCVE-0-2026-1703)
Vulnerability from cvelistv5 – Published: 2026-02-02 14:43 – Updated: 2026-02-02 17:21
VLAI
EPSS
Title
Limited path traversal when installing wheel archives
Summary
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pypa/pip/pull/13777 | patch |
| https://github.com/pypa/pip/commit/8e227a9be4faa9… | patch |
| https://mail.python.org/archives/list/security-an… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Packaging Authority | pip |
Affected:
0 , < 26.0
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T17:21:09.808485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:21:25.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org",
"defaultStatus": "unaffected",
"packageName": "pip",
"product": "pip",
"repo": "https://github.com/pypa/pip",
"vendor": "Python Packaging Authority",
"versions": [
{
"lessThan": "26.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations."
}
],
"value": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T14:45:44.871Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/pypa/pip/pull/13777"
},
{
"tags": [
"patch"
],
"url": "https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Limited path traversal when installing wheel archives",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-1703",
"datePublished": "2026-02-02T14:43:02.919Z",
"dateReserved": "2026-01-30T15:17:22.133Z",
"dateUpdated": "2026-02-02T17:21:25.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-1703",
"date": "2026-06-12",
"epss": "0.0003",
"percentile": "0.09179"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-1703\",\"sourceIdentifier\":\"cna@python.org\",\"published\":\"2026-02-02T15:16:30.510\",\"lastModified\":\"2026-02-03T16:44:36.630\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@python.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cna@python.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/pypa/pip/pull/13777\",\"source\":\"cna@python.org\"},{\"url\":\"https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/\",\"source\":\"cna@python.org\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1703\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-02T17:21:09.808485Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-02T17:21:20.363Z\"}}], \"cna\": {\"title\": \"Limited path traversal when installing wheel archives\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/pypa/pip\", \"vendor\": \"Python Packaging Authority\", \"product\": \"pip\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"26.0\", \"versionType\": \"python\"}], \"packageName\": \"pip\", \"collectionURL\": \"https://pypi.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/pypa/pip/pull/13777\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735\", \"tags\": [\"patch\"]}, {\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"shortName\": \"PSF\", \"dateUpdated\": \"2026-02-02T14:45:44.871Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-1703\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-02T17:21:25.369Z\", \"dateReserved\": \"2026-01-30T15:17:22.133Z\", \"assignerOrgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"datePublished\": \"2026-02-02T14:43:02.919Z\", \"assignerShortName\": \"PSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
OPENSUSE-SU-2026:20202-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 19:17 - Updated: 2026-02-11 19:17Summary
Security update for python-pip
Severity
Low
Notes
Title of the patch: Security update for python-pip
Description of the patch: This update for python-pip fixes the following issues:
- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously
crafted wheel archives (bsc#1257599).
Patchnames: openSUSE-Leap-16.0-256
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-pip-25.0.1-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-pip",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-pip fixes the following issues:\n\n- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously\n crafted wheel archives (bsc#1257599).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-256",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20202-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1257599",
"url": "https://bugzilla.suse.com/1257599"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1703 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1703/"
}
],
"title": "Security update for python-pip",
"tracking": {
"current_release_date": "2026-02-11T19:17:08Z",
"generator": {
"date": "2026-02-11T19:17:08Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20202-1",
"initial_release_date": "2026-02-11T19:17:08Z",
"revision_history": [
{
"date": "2026-02-11T19:17:08Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-pip-25.0.1-160000.3.1.noarch",
"product": {
"name": "python313-pip-25.0.1-160000.3.1.noarch",
"product_id": "python313-pip-25.0.1-160000.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"product": {
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"product_id": "python313-pip-wheel-25.0.1-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-25.0.1-160000.3.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-pip-25.0.1-160000.3.1.noarch"
},
"product_reference": "python313-pip-25.0.1-160000.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
},
"product_reference": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-1703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1703"
}
],
"notes": [
{
"category": "general",
"text": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"openSUSE Leap 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1703",
"url": "https://www.suse.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "SUSE Bug 1257599 for CVE-2026-1703",
"url": "https://bugzilla.suse.com/1257599"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"openSUSE Leap 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"openSUSE Leap 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T19:17:08Z",
"details": "low"
}
],
"title": "CVE-2026-1703"
}
]
}
RHSA-2026:7610
Vulnerability from csaf_redhat - Published: 2026-04-10 23:42 - Updated: 2026-05-07 21:41Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Low
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
python-pip:
* python-pip-wheel-26.0.1-2.1.hum1 (noarch)
* python3-pip-26.0.1-2.1.hum1 (noarch)
* python-pip-26.0.1-2.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in pip. A remote attacker could exploit this path traversal vulnerability by tricking a user into installing a maliciously crafted wheel archive. This could lead to files being extracted outside the intended installation directory, potentially disclosing sensitive information.
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Affected products
Threats
Impact
Low
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\npython-pip:\n * python-pip-wheel-26.0.1-2.1.hum1 (noarch)\n * python3-pip-26.0.1-2.1.hum1 (noarch)\n * python-pip-26.0.1-2.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7610",
"url": "https://access.redhat.com/errata/RHSA-2026:7610"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-1703",
"url": "https://access.redhat.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7610.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-05-07T21:41:35+00:00",
"generator": {
"date": "2026-05-07T21:41:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:7610",
"initial_release_date": "2026-04-10T23:42:31+00:00",
"revision_history": [
{
"date": "2026-04-10T23:42:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-20T11:28:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-07T21:41:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "python-pip-main@src",
"product": {
"name": "python-pip-main@src",
"product_id": "python-pip-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-pip@26.0.1-2.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-pip-main@noarch",
"product": {
"name": "python-pip-main@noarch",
"product_id": "python-pip-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-pip-wheel@26.0.1-2.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-pip-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:python-pip-main@noarch"
},
"product_reference": "python-pip-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-pip-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:python-pip-main@src"
},
"product_reference": "python-pip-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-1703",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-02-02T16:00:55.704051+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2436000"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in pip. A remote attacker could exploit this path traversal vulnerability by tricking a user into installing a maliciously crafted wheel archive. This could lead to files being extracted outside the intended installation directory, potentially disclosing sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pip: pip: Information disclosure via path traversal when installing crafted wheel archives",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This LOW impact flaw in pip allows information disclosure via path traversal when installing crafted wheel archives. While files may be extracted outside the installation directory, the traversal is limited to prefixes of the installation directory, preventing injection or overwriting of executable files in typical Red Hat environments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:python-pip-main@noarch",
"Red Hat Hardened Images:python-pip-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "RHBZ#2436000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1703",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1703"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1703",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1703"
},
{
"category": "external",
"summary": "https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735",
"url": "https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735"
},
{
"category": "external",
"summary": "https://github.com/pypa/pip/pull/13777",
"url": "https://github.com/pypa/pip/pull/13777"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/"
}
],
"release_date": "2026-02-02T14:43:02.919000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T23:42:31+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:python-pip-main@noarch",
"Red Hat Hardened Images:python-pip-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7610"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:python-pip-main@noarch",
"Red Hat Hardened Images:python-pip-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:python-pip-main@noarch",
"Red Hat Hardened Images:python-pip-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "pip: pip: Information disclosure via path traversal when installing crafted wheel archives"
}
]
}
SUSE-SU-2026:0420-1
Vulnerability from csaf_suse - Published: 2026-02-10 14:18 - Updated: 2026-02-10 14:18Summary
Security update for python-pip
Severity
Low
Notes
Title of the patch: Security update for python-pip
Description of the patch: This update for python-pip fixes the following issues:
- CVE-2026-1703: Fixed a potential path traversal in python-pip. (bsc#1257599)
Patchnames: SUSE-2026-420,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-420
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python-pip-10.0.1-13.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-pip-10.0.1-13.17.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-pip",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-pip fixes the following issues:\n\n- CVE-2026-1703: Fixed a potential path traversal in python-pip. (bsc#1257599)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-420,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-420",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0420-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0420-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260420-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0420-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024090.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257599",
"url": "https://bugzilla.suse.com/1257599"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1703 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1703/"
}
],
"title": "Security update for python-pip",
"tracking": {
"current_release_date": "2026-02-10T14:18:13Z",
"generator": {
"date": "2026-02-10T14:18:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0420-1",
"initial_release_date": "2026-02-10T14:18:13Z",
"revision_history": [
{
"date": "2026-02-10T14:18:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-pip-10.0.1-13.17.1.noarch",
"product": {
"name": "python-pip-10.0.1-13.17.1.noarch",
"product_id": "python-pip-10.0.1-13.17.1.noarch"
}
},
{
"category": "product_version",
"name": "python-pip-wheel-10.0.1-13.17.1.noarch",
"product": {
"name": "python-pip-wheel-10.0.1-13.17.1.noarch",
"product_id": "python-pip-wheel-10.0.1-13.17.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-pip-10.0.1-13.17.1.noarch",
"product": {
"name": "python3-pip-10.0.1-13.17.1.noarch",
"product_id": "python3-pip-10.0.1-13.17.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-pip-wheel-10.0.1-13.17.1.noarch",
"product": {
"name": "python3-pip-wheel-10.0.1-13.17.1.noarch",
"product_id": "python3-pip-wheel-10.0.1-13.17.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-pip-10.0.1-13.17.1.noarch as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python-pip-10.0.1-13.17.1.noarch"
},
"product_reference": "python-pip-10.0.1-13.17.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-pip-10.0.1-13.17.1.noarch as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-pip-10.0.1-13.17.1.noarch"
},
"product_reference": "python3-pip-10.0.1-13.17.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-1703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1703"
}
],
"notes": [
{
"category": "general",
"text": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python-pip-10.0.1-13.17.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-pip-10.0.1-13.17.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1703",
"url": "https://www.suse.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "SUSE Bug 1257599 for CVE-2026-1703",
"url": "https://bugzilla.suse.com/1257599"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python-pip-10.0.1-13.17.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-pip-10.0.1-13.17.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python-pip-10.0.1-13.17.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-pip-10.0.1-13.17.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-10T14:18:13Z",
"details": "low"
}
],
"title": "CVE-2026-1703"
}
]
}
SUSE-SU-2026:0805-1
Vulnerability from csaf_suse - Published: 2026-03-04 12:58 - Updated: 2026-03-04 12:58Summary
Security update for python-pip
Severity
Low
Notes
Title of the patch: Security update for python-pip
Description of the patch: This update for python-pip fixes the following issues:
- CVE-2026-1703: Fixed a potential path traversal in python-pip. (bsc#1257599)
Patchnames: SUSE-2026-805,SUSE-SLE-Module-Public-Cloud-15-SP4-2026-805,SUSE-SLE-Module-Python3-15-SP7-2026-805,openSUSE-SLE-15.6-2026-805
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-pip-22.3.1-150400.17.19.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Python 3 15 SP7:python311-pip-22.3.1-150400.17.19.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:python311-pip-22.3.1-150400.17.19.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-pip",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-pip fixes the following issues:\n\n- CVE-2026-1703: Fixed a potential path traversal in python-pip. (bsc#1257599)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-805,SUSE-SLE-Module-Public-Cloud-15-SP4-2026-805,SUSE-SLE-Module-Python3-15-SP7-2026-805,openSUSE-SLE-15.6-2026-805",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0805-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0805-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260805-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0805-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024567.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257599",
"url": "https://bugzilla.suse.com/1257599"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1703 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1703/"
}
],
"title": "Security update for python-pip",
"tracking": {
"current_release_date": "2026-03-04T12:58:41Z",
"generator": {
"date": "2026-03-04T12:58:41Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0805-1",
"initial_release_date": "2026-03-04T12:58:41Z",
"revision_history": [
{
"date": "2026-03-04T12:58:41Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-pip-22.3.1-150400.17.19.1.noarch",
"product": {
"name": "python311-pip-22.3.1-150400.17.19.1.noarch",
"product_id": "python311-pip-22.3.1-150400.17.19.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Python 3 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Python 3 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-python3:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pip-22.3.1-150400.17.19.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-pip-22.3.1-150400.17.19.1.noarch"
},
"product_reference": "python311-pip-22.3.1-150400.17.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pip-22.3.1-150400.17.19.1.noarch as component of SUSE Linux Enterprise Module for Python 3 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP7:python311-pip-22.3.1-150400.17.19.1.noarch"
},
"product_reference": "python311-pip-22.3.1-150400.17.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pip-22.3.1-150400.17.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-pip-22.3.1-150400.17.19.1.noarch"
},
"product_reference": "python311-pip-22.3.1-150400.17.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-1703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1703"
}
],
"notes": [
{
"category": "general",
"text": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-pip-22.3.1-150400.17.19.1.noarch",
"SUSE Linux Enterprise Module for Python 3 15 SP7:python311-pip-22.3.1-150400.17.19.1.noarch",
"openSUSE Leap 15.6:python311-pip-22.3.1-150400.17.19.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1703",
"url": "https://www.suse.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "SUSE Bug 1257599 for CVE-2026-1703",
"url": "https://bugzilla.suse.com/1257599"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-pip-22.3.1-150400.17.19.1.noarch",
"SUSE Linux Enterprise Module for Python 3 15 SP7:python311-pip-22.3.1-150400.17.19.1.noarch",
"openSUSE Leap 15.6:python311-pip-22.3.1-150400.17.19.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-pip-22.3.1-150400.17.19.1.noarch",
"SUSE Linux Enterprise Module for Python 3 15 SP7:python311-pip-22.3.1-150400.17.19.1.noarch",
"openSUSE Leap 15.6:python311-pip-22.3.1-150400.17.19.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-04T12:58:41Z",
"details": "low"
}
],
"title": "CVE-2026-1703"
}
]
}
SUSE-SU-2026:20423-1
Vulnerability from csaf_suse - Published: 2026-02-11 19:21 - Updated: 2026-02-11 19:21Summary
Security update for python-pip
Severity
Low
Notes
Title of the patch: Security update for python-pip
Description of the patch: This update for python-pip fixes the following issues:
- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously
crafted wheel archives (bsc#1257599).
Patchnames: SUSE-SLES-16.0-256
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-pip",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-pip fixes the following issues:\n\n- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously\n crafted wheel archives (bsc#1257599).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-256",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20423-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20423-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620423-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20423-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024347.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257599",
"url": "https://bugzilla.suse.com/1257599"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1703 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1703/"
}
],
"title": "Security update for python-pip",
"tracking": {
"current_release_date": "2026-02-11T19:21:28Z",
"generator": {
"date": "2026-02-11T19:21:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20423-1",
"initial_release_date": "2026-02-11T19:21:28Z",
"revision_history": [
{
"date": "2026-02-11T19:21:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-pip-25.0.1-160000.3.1.noarch",
"product": {
"name": "python313-pip-25.0.1-160000.3.1.noarch",
"product_id": "python313-pip-25.0.1-160000.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"product": {
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"product_id": "python313-pip-wheel-25.0.1-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-25.0.1-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.3.1.noarch"
},
"product_reference": "python313-pip-25.0.1-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
},
"product_reference": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-25.0.1-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.3.1.noarch"
},
"product_reference": "python313-pip-25.0.1-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-wheel-25.0.1-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
},
"product_reference": "python313-pip-wheel-25.0.1-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-1703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1703"
}
],
"notes": [
{
"category": "general",
"text": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1703",
"url": "https://www.suse.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "SUSE Bug 1257599 for CVE-2026-1703",
"url": "https://bugzilla.suse.com/1257599"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T19:21:28Z",
"details": "low"
}
],
"title": "CVE-2026-1703"
}
]
}
SUSE-SU-2026:22018-1
Vulnerability from csaf_suse - Published: 2026-06-02 13:37 - Updated: 2026-06-02 13:37Summary
Security update for python-pip
Severity
Moderate
Notes
Title of the patch: Security update for python-pip
Description of the patch: This update for python-pip fixes the following issues:
- CVE-2026-3219: concatenated tar and ZIP files are handled as ZIP files, resulting in possibly obfuscated malicious
code (bsc#1262429).
- CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation, resulting
in potential arbitrary code execution (bsc#1263442).
Patchnames: SUSE-SLES-16.0-872
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-pip",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-pip fixes the following issues:\n\n- CVE-2026-3219: concatenated tar and ZIP files are handled as ZIP files, resulting in possibly obfuscated malicious\n code (bsc#1262429).\n- CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation, resulting\n in potential arbitrary code execution (bsc#1263442).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-872",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22018-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22018-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622018-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22018-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047158.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262429",
"url": "https://bugzilla.suse.com/1262429"
},
{
"category": "self",
"summary": "SUSE Bug 1263442",
"url": "https://bugzilla.suse.com/1263442"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1703 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1703/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-3219 page",
"url": "https://www.suse.com/security/cve/CVE-2026-3219/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-6357 page",
"url": "https://www.suse.com/security/cve/CVE-2026-6357/"
}
],
"title": "Security update for python-pip",
"tracking": {
"current_release_date": "2026-06-02T13:37:13Z",
"generator": {
"date": "2026-06-02T13:37:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22018-1",
"initial_release_date": "2026-06-02T13:37:13Z",
"revision_history": [
{
"date": "2026-06-02T13:37:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-pip-25.0.1-160000.4.1.noarch",
"product": {
"name": "python313-pip-25.0.1-160000.4.1.noarch",
"product_id": "python313-pip-25.0.1-160000.4.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
"product": {
"name": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
"product_id": "python313-pip-wheel-25.0.1-160000.4.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch"
},
"product_reference": "python313-pip-25.0.1-160000.4.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-wheel-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
},
"product_reference": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch"
},
"product_reference": "python313-pip-25.0.1-160000.4.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pip-wheel-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
},
"product_reference": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-1703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1703"
}
],
"notes": [
{
"category": "general",
"text": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1703",
"url": "https://www.suse.com/security/cve/CVE-2026-1703"
},
{
"category": "external",
"summary": "SUSE Bug 1257599 for CVE-2026-1703",
"url": "https://bugzilla.suse.com/1257599"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T13:37:13Z",
"details": "low"
}
],
"title": "CVE-2026-1703"
},
{
"cve": "CVE-2026-3219",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-3219"
}
],
"notes": [
{
"category": "general",
"text": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-3219",
"url": "https://www.suse.com/security/cve/CVE-2026-3219"
},
{
"category": "external",
"summary": "SUSE Bug 1262429 for CVE-2026-3219",
"url": "https://bugzilla.suse.com/1262429"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T13:37:13Z",
"details": "moderate"
}
],
"title": "CVE-2026-3219"
},
{
"cve": "CVE-2026-6357",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-6357"
}
],
"notes": [
{
"category": "general",
"text": "pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-6357",
"url": "https://www.suse.com/security/cve/CVE-2026-6357"
},
{
"category": "external",
"summary": "SUSE Bug 1263442 for CVE-2026-6357",
"url": "https://bugzilla.suse.com/1263442"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T13:37:13Z",
"details": "moderate"
}
],
"title": "CVE-2026-6357"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…