PyPI package
poetry
pkg:pypi/poetry
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41140 | Low | — | < 2.3.4 | 2.3.4 | Apr 24, 2026 | Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions whic | |
| CVE-2026-34591 | Med | 6.5 | >= 1.4.0, < 2.3.3 | 2.3.3 | Apr 2, 2026 | Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrus | |
| CVE-2022-36069 | — | < 1.1.9 | 1.1.9 | Sep 7, 2022 | Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, P | ||
| CVE-2022-36070 | — | < 1.1.9 | 1.1.9 | Sep 7, 2022 | Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untru | ||
| CVE-2022-26184 | — | < 1.1.9 | 1.1.9 | Mar 21, 2022 | Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS |
- affected < 2.3.4fixed 2.3.4
Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions whic
- affected >= 1.4.0, < 2.3.3fixed 2.3.3
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrus
- CVE-2022-36069Sep 7, 2022affected < 1.1.9fixed 1.1.9
Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, P
- CVE-2022-36070Sep 7, 2022affected < 1.1.9fixed 1.1.9
Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untru
- CVE-2022-26184Mar 21, 2022affected < 1.1.9fixed 1.1.9
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS