| CVE-2013-1629 |
medium |
— |
6.8 |
|
|
|
13y ago |
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code v… |
| CVE-2026-6357 |
medium |
— |
5.5 |
|
|
|
1mo ago |
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally defe… |
| CVE-2026-3219 |
medium |
— |
5.5 |
|
|
|
2mo ago |
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as ins… |
| CVE-2019-20916 |
medium |
— |
5.5 |
|
|
|
5y ago |
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwr… |
| CVE-2021-3572 |
low |
— |
2.5 |
|
|
|
5y ago |
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest… |
| CVE-2014-8991 |
low |
— |
2.1 |
|
|
|
4y ago |
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. |
| CVE-2013-1888 |
low |
— |
2.1 |
|
|
|
4y ago |
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. |
