rpm package
suse/python-pip&distro=SUSE Linux Enterprise Server for SAP applications 16.0
pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6357 | Med | — | < 25.0.1-160000.4.1 | 25.0.1-160000.4.1 | Apr 27, 2026 | pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct | |
| CVE-2026-3219 | Med | — | < 25.0.1-160000.4.1 | 25.0.1-160000.4.1 | Apr 20, 2026 | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior | |
| CVE-2026-1703 | Low | — | < 25.0.1-160000.3.1 | 25.0.1-160000.3.1 | Feb 2, 2026 | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat |
- affected < 25.0.1-160000.4.1fixed 25.0.1-160000.4.1
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct
- affected < 25.0.1-160000.4.1fixed 25.0.1-160000.4.1
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior
- affected < 25.0.1-160000.3.1fixed 25.0.1-160000.3.1
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat