| CVE-2013-1629 |
medium |
— |
6.8 |
|
|
|
13y ago |
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code v… |
| CVE-2026-6357 |
medium |
— |
5.5 |
|
|
|
1mo ago |
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally defe… |
| CVE-2026-3219 |
medium |
— |
5.5 |
|
|
|
2mo ago |
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as ins… |
| CVE-2019-20916 |
medium |
— |
5.5 |
|
|
|
5y ago |
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwr… |
