You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
pip security
About this tag
The pip security tag covers vulnerabilities and supply-chain risks in the Python package manager pip, with a focus on Windows environments. Recent discussions highlight CVE-2026-6357, a medium-severity flaw in pip before version 26.1 where a post-install self-update check could execute attacker-controlled code, and CVE-2026-1703, a path-traversal bug in pip's wheel extraction logic that allows files to be placed outside the intended installation directory. These issues underscore that package managers are a growing attack surface for supply-chain and installer attacks, particularly for Windows developers and administrators who rely on pip for Python package management.
CVE-2026-6357 is a medium-severity flaw disclosed in April 2026 in pip before version 26.1, where pip’s post-install self-update check could import newly installed Python modules after wheel installation and potentially execute attacker-controlled code in a local install scenario. That...
A subtle bug in pip’s wheel extraction logic has produced CVE‑2026‑1703 — a limited path‑traversal flaw that can allow specially crafted wheel (zip) archives to place files outside the intended installation directory during a normal pip install. The defect is narrowly scoped — the traversal is...