cve-2026-41140

CVE-2026-41140 is a path-traversal vulnerability in the Poetry package manager, affecting source-distribution tar extraction on Python versions 3.10.0 through 3.10.12 and 3.11.0 through 3.11.4. The flaw allows crafted archives to escape intended directories, potentially leading to privileged file writes in development and CI environments. While not a Windows kernel or browser zero-day, it represents a supply-chain risk for Windows developers and administrators who rely on Poetry for dependency management. The vulnerability is fixed in Poetry version 2.3.4 and later. Discussions on WindowsForum.com focus on understanding the impact on Windows-based development workflows and mitigation strategies.