VYPR

apk package

wolfi/py3.12-pip

pkg:apk/wolfi/py3.12-pip

Vulnerabilities (6)

  • CVE-2026-6357MedApr 27, 2026
    affected < 26.1.1-r0fixed 26.1.1-r0

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct

  • CVE-2026-3219MedApr 20, 2026
    affected < 26.1.1-r0fixed 26.1.1-r0

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior

  • CVE-2025-8869MedSep 24, 2025
    affected < 25.2-r2fixed 25.2-r2

    When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usi

  • CVE-2025-50182Jun 19, 2025
    affected < 25.3-r1fixed 25.3-r1

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2024-47081MedJun 9, 2025
    affected < 0fixed 0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2018-20225HigMay 8, 2020
    affected < 0fixed 0

    An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the