None severityNVD Advisory· Published Mar 18, 2026· Updated Apr 7, 2026
CVE-2026-3479
CVE-2026-3479
Description
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.
pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fenvd
- github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7nvd
- github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943nvd
- github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59cnvd
- github.com/python/cpython/issues/146121nvd
- github.com/python/cpython/pull/146122nvd
- mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/nvd
News mentions
0No linked articles in our index yet.