| CVE-2021-3572 |
low |
— |
2.5 |
|
|
|
5y ago |
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest… |
| CVE-2014-8991 |
low |
— |
2.1 |
|
|
|
4y ago |
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. |
| CVE-2013-1888 |
low |
— |
2.1 |
|
|
|
4y ago |
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. |
| CVE-2013-5123 |
unknown |
— |
1.0 |
|
|
|
4y ago |
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. |
| CVE-2026-1703 |
unknown |
— |
— |
|
|
|
4mo ago |
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation dir… |
| CVE-2025-8869 |
unknown |
— |
— |
|
|
|
8mo ago |
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for th… |
| CVE-2023-5752 |
unknown |
— |
— |
|
|
|
3y ago |
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… |
