Low severityOSV Advisory· Published Feb 2, 2026· Updated Apr 15, 2026
CVE-2026-1703
CVE-2026-1703
Description
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pipPyPI | < 26.0 | 26.0 |
Affected products
76- osv-coords75 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/ansible-operatorpkg:apk/chainguard/ansible-operator-fipspkg:apk/chainguard/awxpkg:apk/chainguard/dask-gatewaypkg:apk/chainguard/dask-gateway-serverpkg:apk/chainguard/datadog-agent-7.71pkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72pkg:apk/chainguard/datadog-agent-7.72-core-integrationspkg:apk/chainguard/datadog-agent-7.73pkg:apk/chainguard/datadog-agent-7.73-core-integrationspkg:apk/chainguard/datadog-agent-7.74pkg:apk/chainguard/datadog-agent-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.71pkg:apk/chainguard/datadog-agent-fips-7.71-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72pkg:apk/chainguard/datadog-agent-fips-7.72-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.73pkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74pkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/graalvm-25-graalpy-venvpkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/localstackpkg:apk/chainguard/nemopkg:apk/chainguard/pgadmin4pkg:apk/chainguard/pgadmin4-fipspkg:apk/chainguard/py3.10-virtualenvpkg:apk/chainguard/py3.11-virtualenvpkg:apk/chainguard/py3.12-virtualenvpkg:apk/chainguard/py3.13-virtualenvpkg:apk/chainguard/pypy-3.10pkg:apk/chainguard/request-1276pkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/wolfi/ansible-operatorpkg:apk/wolfi/dask-gatewaypkg:apk/wolfi/dask-gateway-serverpkg:apk/wolfi/datadog-agent-7.72pkg:apk/wolfi/datadog-agent-7.72-core-integrationspkg:apk/wolfi/datadog-agent-7.73pkg:apk/wolfi/datadog-agent-7.73-core-integrationspkg:apk/wolfi/datadog-agent-7.74pkg:apk/wolfi/datadog-agent-7.74-core-integrationspkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/py3.10-virtualenvpkg:apk/wolfi/py3.11-virtualenvpkg:apk/wolfi/py3.12-virtualenvpkg:apk/wolfi/py3.13-virtualenvpkg:apk/wolfi/pypy-3.10pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/pippkg:rpm/opensuse/python-pip&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-pip&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-pip&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 2.11.2-r9+ 74 more
- (no CPE)range: < 2.11.2-r9
- (no CPE)range: < 1.42.0-r8
- (no CPE)range: < 1.42.0-r6
- (no CPE)range: < 24.6.1-r26
- (no CPE)range: < 2025.4.0-r7
- (no CPE)range: < 2025.4.0-r7
- (no CPE)range: < 7.71.2-r11
- (no CPE)range: < 7.71.2-r11
- (no CPE)range: < 7.72.4-r8
- (no CPE)range: < 7.72.4-r8
- (no CPE)range: < 7.73.3-r5
- (no CPE)range: < 7.73.3-r5
- (no CPE)range: < 7.74.1-r8
- (no CPE)range: < 7.74.1-r8
- (no CPE)range: < 7.71.2-r6
- (no CPE)range: < 7.71.2-r6
- (no CPE)range: < 7.72.4-r4
- (no CPE)range: < 7.72.4-r4
- (no CPE)range: < 7.73.3-r3
- (no CPE)range: < 7.73.3-r3
- (no CPE)range: < 7.74.1-r4
- (no CPE)range: < 7.74.1-r4
- (no CPE)range: < 25.0.2-r10
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 4.14.0-r6
- (no CPE)range: < 2.6.1-r4
- (no CPE)range: < 9.12-r0
- (no CPE)range: < 9.12-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 7.3.19-r15
- (no CPE)range: < 0.27.1-r1
- (no CPE)range: < 2.20.0-r10
- (no CPE)range: < 2.20.0-r9
- (no CPE)range: < 1.42.0-r8
- (no CPE)range: < 2025.4.0-r7
- (no CPE)range: < 2025.4.0-r7
- (no CPE)range: < 7.72.4-r8
- (no CPE)range: < 7.72.4-r8
- (no CPE)range: < 7.73.3-r5
- (no CPE)range: < 7.73.3-r5
- (no CPE)range: < 7.74.1-r8
- (no CPE)range: < 7.74.1-r8
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 7.3.19-r15
- (no CPE)range: < 2.20.0-r10
- (no CPE)range: < 26.0
- (no CPE)range: < 22.3.1-150400.17.19.1
- (no CPE)range: < 25.0.1-160000.3.1
- (no CPE)range: < 26.0.1-1.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 22.3.1-150400.17.19.1
- (no CPE)range: < 22.3.1-150400.17.19.1
- (no CPE)range: < 25.0.1-160000.3.1
- (no CPE)range: < 25.0.1-160000.3.1
- (no CPE)range: < 10.0.1-13.17.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-6vgw-5pg2-w6jpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1703ghsaADVISORY
- github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735nvdWEB
- github.com/pypa/pip/pull/13777nvdWEB
- mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJghsaWEB
- mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/nvd
News mentions
0No linked articles in our index yet.