VYPR

PyPI package

poetry

pkg:pypi/poetry

Vulnerabilities (5)

  • CVE-2026-41140LowApr 24, 2026
    affected < 2.3.4fixed 2.3.4

    Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions whic

  • CVE-2026-34591MedApr 2, 2026
    affected >= 1.4.0, < 2.3.3fixed 2.3.3

    Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrus

  • CVE-2022-36069Sep 7, 2022
    affected < 1.1.9fixed 1.1.9

    Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, P

  • CVE-2022-36070Sep 7, 2022
    affected < 1.1.9fixed 1.1.9

    Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untru

  • CVE-2022-26184Mar 21, 2022
    affected < 1.1.9fixed 1.1.9

    Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS