VYPR

PyPI package

guarddog

pkg:pypi/guarddog

Vulnerabilities (6)

  • CVE-2026-44972MedMay 27, 2026
    affected >= 2.6.0, <= 2.9.0

    GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can

  • CVE-2026-44971HigMay 27, 2026
    affected >= 1.0.0, <= 2.9.0

    GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request.

  • CVE-2026-22871Jan 13, 2026
    affected < 2.7.1fixed 2.7.1

    GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbi

  • CVE-2026-22870Jan 13, 2026
    affected < 2.7.1fixed 2.7.1

    GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious packa

  • CVE-2022-23531Dec 16, 2022
    affected < 0.1.5fixed 0.1.5

    GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary fil

  • CVE-2022-23530Dec 16, 2022
    affected < 0.1.8fixed 0.1.8

    GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validatin