Conda
Products
3- 4 CVEs
- 3 CVEs
- 1 CVE
Recent CVEs
8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-58244 | Hig | 0.57 | 8.8 | 0.00 | Sep 22, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9. | ||
| CVE-2025-64343 | Hig | 0.51 | 7.8 | 0.00 | Nov 7, 2025 | (conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive… | ||
| CVE-2026-47425 | 0.00 | — | 0.00 | Jun 1, 2026 | ## Summary `EntryPoint::FromStr` in `rattler_conda_types` performs only `.trim()` on the `command` field before the linker joins it onto the install prefix and writes an executable Python script. A malicious `noarch:python` package can ship an `info/link.json` with an… | |||
| CVE-2025-49823 | Non | 0.00 | 0.0 | 0.00 | Jun 17, 2025 | (conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code.… | ||
| CVE-2025-32800 | 0.00 | — | 0.01 | Jun 16, 2025 | Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the… | |||
| CVE-2025-32799 | 0.00 | — | 0.01 | Jun 16, 2025 | Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with… | |||
| CVE-2025-32798 | 0.00 | — | 0.01 | Jun 16, 2025 | Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval… | |||
| CVE-2025-32797 | 0.00 | — | 0.00 | Jun 16, 2025 | Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users.… |
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9.
- risk 0.51cvss 7.8epss 0.00
(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive…
- CVE-2026-47425Jun 1, 2026risk 0.00cvss —epss 0.00
## Summary `EntryPoint::FromStr` in `rattler_conda_types` performs only `.trim()` on the `command` field before the linker joins it onto the install prefix and writes an executable Python script. A malicious `noarch:python` package can ship an `info/link.json` with an…
- risk 0.00cvss 0.0epss 0.00
(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code.…
- CVE-2025-32800Jun 16, 2025risk 0.00cvss —epss 0.01
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the…
- CVE-2025-32799Jun 16, 2025risk 0.00cvss —epss 0.01
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with…
- CVE-2025-32798Jun 16, 2025risk 0.00cvss —epss 0.01
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval…
- CVE-2025-32797Jun 16, 2025risk 0.00cvss —epss 0.00
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users.…