| CVE-2013-1629 |
medium |
— |
6.8 |
|
|
|
13y ago |
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code v… |
| CVE-2026-6357 |
medium |
— |
5.5 |
|
|
|
1mo ago |
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally defe… |
| CVE-2026-3219 |
medium |
— |
5.5 |
|
|
|
2mo ago |
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as ins… |
| CVE-2019-20916 |
medium |
— |
5.5 |
|
|
|
5y ago |
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwr… |
| CVE-2021-3572 |
low |
— |
2.5 |
|
|
|
5y ago |
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest… |
| CVE-2014-8991 |
low |
— |
2.1 |
|
|
|
4y ago |
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. |
| CVE-2013-1888 |
low |
— |
2.1 |
|
|
|
4y ago |
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. |
| CVE-2013-5123 |
unknown |
— |
1.0 |
|
|
|
4y ago |
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. |
| CVE-2026-1703 |
unknown |
— |
— |
|
|
|
4mo ago |
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation dir… |
| CVE-2025-8869 |
unknown |
— |
— |
|
|
|
8mo ago |
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for th… |
| CVE-2023-5752 |
unknown |
— |
— |
|
|
|
3y ago |
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… |
