QwikSec

Security Database

CVE

CWE

Training

CVE-2026-3479

Published: Mar 18, 2026

Modified: Apr 7, 2026

PUBLISHED

Description

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.13.13` affected `3.14.0 - < 3.14.4` affected `3.15.0a1 - < 3.15.0a8`

References

https://github.com/python/cpython/pull/146122

patch

https://mail.python.org/archives/list/[email protected]/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/

vendor-advisory

https://github.com/python/cpython/issues/146121

issue-tracking

https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7

patch

https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe

patch

https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943

patch

https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.