QwikSec

Security Database

CVE

CWE

Training

CVE-2026-1703

Published: Feb 2, 2026

Modified: Feb 2, 2026

PUBLISHED

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Vendor	Product	Versions
Python Packaging Authority	pip	affected `0 - < 26.0`

Weaknesses (CWE)

References

https://github.com/pypa/pip/pull/13777

patch

https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735

patch

https://mail.python.org/archives/list/[email protected]/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.