VYPR
Low severityOSV Advisory· Published Feb 2, 2026· Updated Apr 15, 2026

CVE-2026-1703

CVE-2026-1703

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pipPyPI
< 26.026.0

Affected products

76

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.