A subtle bug in pip’s wheel extraction logic has produced CVE‑2026‑1703 — a limited path‑traversal flaw that can allow specially crafted wheel (zip) archives to place files outside the intended installation directory during a normal pip install. The defect is narrowly scoped — the traversal is...
