CVE-2026-1703
Publication date 2 February 2026
Last updated 10 July 2026
Ubuntu priority
Description
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Why is this CVE low priority?
Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-pip | 26.04 LTS resolute |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needed | |
| 14.04 LTS trusty |
Vulnerable
|
Severity score breakdown
CVSS version: CVSS v4.0
Base score
2.0 · Low
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N