Fluid Attacks Database

Description

pip Path Traversal vulnerability When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-pip	=20.3.4-4 \|\| =20.3.4-4+deb11u1 \|\| =20.3.4-4+deb11u2 \|\| =21.3.1+dfsg-1 \|\| =21.3.1+dfsg-2 \|\| =21.3.1+dfsg-3 \|\| =22.0.2+dfsg-1 \|\| =22.1+dfsg-1 \|\| =22.1.1+dfsg-1 \|\| =22.2+dfsg-1 \|\| =22.3+dfsg-1 \|\| =22.3.1+dfsg-1 \|\| =22.3.1+dfsg-2 \|\| =23.0+dfsg-1 \|\| =23.0+dfsg-2 \|\| =23.0.1+dfsg-1 \|\| =23.1.2+dfsg-1 \|\| =23.1.2+dfsg-2 \|\| =23.2+dfsg-1 \|\| =23.2.1+dfsg-1 \|\| =23.3+dfsg-1 \|\| =24.0+dfsg-1 \|\| =24.0+dfsg-2 \|\| =24.1+dfsg-1 \|\| =24.1.1+dfsg-1 \|\| =24.2+dfsg-1 \|\| =24.3.1+dfsg-1 \|\| =25.0+dfsg-1 \|\| =25.0.1+dfsg-1 \|\| =25.1+dfsg-1 \|\| =25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1	-
pypi	pip	>=0 <26.0	26.0
debian 14	python-pip	=25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| >=0 <26.0+dfsg-1	26.0+dfsg-1
debian 12	python-pip	=23.0.1+dfsg-1 \|\| =23.1.2+dfsg-1 \|\| =23.1.2+dfsg-2 \|\| =23.2+dfsg-1 \|\| =23.2.1+dfsg-1 \|\| =23.3+dfsg-1 \|\| =24.0+dfsg-1 \|\| =24.0+dfsg-2 \|\| =24.1+dfsg-1 \|\| =24.1.1+dfsg-1 \|\| =24.2+dfsg-1 \|\| =24.3.1+dfsg-1 \|\| =25.0+dfsg-1 \|\| =25.0.1+dfsg-1 \|\| =25.1+dfsg-1 \|\| =25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1	-
debian 13	python-pip	=25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1	-
rpm rhel9	python-312-minimal	-	-
rpm rhel8	python-36	-	-
rpm rhel10	python-312-minimal	-	-
rpm rhel9	python-312	-	-
rpm rhel8	python-311	-	-

1-10 of 14

Aliases

1. CVE-2026-17032. NVD-2026-17033. OSV-DEBIAN-2026-17034. OSV-2026-17035. GCVE-2026-17036. SECURITY-TRACKER-CVE-2026-1703

References

1. https://github.com/pypa/pip/pull/137772. https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e77353. https://mail.python.org/archives/list/[email protected]/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.