Home > Vulnerability Database > CVE-2026-1703

Mend.io Vulnerability Database

CVE-2026-1703

Good to know:

Date: February 2, 2026

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity Score

3.5

Related Resources (7)

Url: https://github.com/pypa/pip/pull/13777

Url: https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-1703

Url: https://github.com/pypa/pip

Url: https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ

Url: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735

Url: https://www.mend.io/vulnerability-database/CVE-2026-1703

Severity Score

3.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version pip - 26.0;pip - 26.0;https://github.com/pypa/pip.git - 26.0

Learn More

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-1703

Good to know:

Date: February 2, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?