CVE Tools

pypa

OSS Librariesoss-project

3

Cumulative CVEs

2

Monthly snapshots

#53

Peak rank

Top products

Latest CVEs

The 14 most recently published vulnerabilities affecting pypa.

CVE-2026-8643pip can extract console_scripts and gui_scripts outside installation directory5.5Jun 1, 2026
CVE-2026-24049wheel Allows Arbitrary File Permission Modification via Path Traversal7.1Jan 22, 2026
CVE-2026-22702virtualenv Has TOCTOU Vulnerabilities in Directory Creation4.5Jan 10, 2026
CVE-2025-47273setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write8.8May 17, 2025
CVE-2024-6345Remote Code Execution in pypa/setuptools8.8Jul 15, 2024
CVE-2023-5752Mercurial configuration injectable in repo revision when installing via pip5.5Oct 24, 2023
CVE-2022-21668Pipenv's requirements.txt parsing allows malicious index url in comments8.0Jan 10, 2022
CVE-2021-3572A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highe...5.7Nov 10, 2021
CVE-2019-20916The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by over...7.5Sep 4, 2020
CVE-2018-20225An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This o...7.8May 8, 2020
CVE-2013-5123The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.5.9Nov 5, 2019
CVE-2014-8991pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.2.1Nov 24, 2014
CVE-2013-1888pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.2.1Aug 16, 2013
CVE-2013-1629pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code...6.8Aug 6, 2013