Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/pip@6.0.8
Typepypi
Namespace
Namepip
Version6.0.8
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version26.0
Latest_non_vulnerable_version26.0
Affected_by_vulnerabilities
0
url VCID-75s4-h132-6fe1
vulnerability_id VCID-75s4-h132-6fe1
summary A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
references
0
reference_url https://access.redhat.com/errata/RHSA-2021:3254
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2021:3254
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3572.json
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3572.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3572
reference_id
reference_type
scores
0
value 0.0024
scoring_system epss
scoring_elements 0.47103
published_at 2026-04-18T12:55:00Z
1
value 0.0024
scoring_system epss
scoring_elements 0.47047
published_at 2026-04-09T12:55:00Z
2
value 0.0024
scoring_system epss
scoring_elements 0.47051
published_at 2026-04-13T12:55:00Z
3
value 0.0024
scoring_system epss
scoring_elements 0.46996
published_at 2026-04-07T12:55:00Z
4
value 0.0024
scoring_system epss
scoring_elements 0.47049
published_at 2026-04-04T12:55:00Z
5
value 0.0024
scoring_system epss
scoring_elements 0.4703
published_at 2026-04-02T12:55:00Z
6
value 0.0024
scoring_system epss
scoring_elements 0.47072
published_at 2026-04-11T12:55:00Z
7
value 0.0024
scoring_system epss
scoring_elements 0.46993
published_at 2026-04-01T12:55:00Z
8
value 0.0024
scoring_system epss
scoring_elements 0.47045
published_at 2026-04-12T12:55:00Z
9
value 0.0024
scoring_system epss
scoring_elements 0.47107
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3572
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1962856
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=1962856
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
8
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip
9
reference_url https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
10
reference_url https://github.com/pypa/pip/pull/9827
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip/pull/9827
11
reference_url https://packetstormsecurity.com/files/162712/USN-4961-1.txt
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://packetstormsecurity.com/files/162712/USN-4961-1.txt
12
reference_url https://security.netapp.com/advisory/ntap-20240621-0006
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240621-0006
13
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
14
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
15
reference_url https://security.archlinux.org/AVG-2036
reference_id AVG-2036
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2036
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3572
reference_id CVE-2021-3572
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3572
17
reference_url https://access.redhat.com/errata/RHSA-2021:4160
reference_id RHSA-2021:4160
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4160
18
reference_url https://access.redhat.com/errata/RHSA-2021:4162
reference_id RHSA-2021:4162
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4162
19
reference_url https://access.redhat.com/errata/RHSA-2021:4455
reference_id RHSA-2021:4455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4455
20
reference_url https://usn.ubuntu.com/USN-4961-2/
reference_id USN-USN-4961-2
reference_type
scores
url https://usn.ubuntu.com/USN-4961-2/
fixed_packages
0
url pkg:pypi/pip@21.1
purl pkg:pypi/pip@21.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ecex-5hqz-9bbd
1
vulnerability VCID-etur-1aaz-9uf3
2
vulnerability VCID-g6gg-vgks-xyeb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@21.1
aliases CVE-2021-3572, GHSA-5xp3-jfq3-5q8x, PYSEC-2021-437
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-75s4-h132-6fe1
1
url VCID-a1m5-12w5-sffd
vulnerability_id VCID-a1m5-12w5-sffd
summary The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
2
reference_url https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
reference_id
reference_type
scores
url https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
3
reference_url https://github.com/pypa/pip/compare/19.1.1...19.2
reference_id
reference_type
scores
url https://github.com/pypa/pip/compare/19.1.1...19.2
4
reference_url https://github.com/pypa/pip/issues/6413
reference_id
reference_type
scores
url https://github.com/pypa/pip/issues/6413
5
reference_url https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
fixed_packages
0
url pkg:pypi/pip@19.2
purl pkg:pypi/pip@19.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-75s4-h132-6fe1
1
vulnerability VCID-ecex-5hqz-9bbd
2
vulnerability VCID-etur-1aaz-9uf3
3
vulnerability VCID-g6gg-vgks-xyeb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@19.2
aliases PYSEC-2020-192
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a1m5-12w5-sffd
2
url VCID-ecex-5hqz-9bbd
vulnerability_id VCID-ecex-5hqz-9bbd
summary 
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8869.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8869.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-8869
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.03824
published_at 2026-04-16T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05366
published_at 2026-04-02T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05413
published_at 2026-04-13T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.0542
published_at 2026-04-12T12:55:00Z
4
value 0.0002
scoring_system epss
scoring_elements 0.05433
published_at 2026-04-11T12:55:00Z
5
value 0.0002
scoring_system epss
scoring_elements 0.05459
published_at 2026-04-09T12:55:00Z
6
value 0.0002
scoring_system epss
scoring_elements 0.05438
published_at 2026-04-08T12:55:00Z
7
value 0.0002
scoring_system epss
scoring_elements 0.05403
published_at 2026-04-07T12:55:00Z
8
value 0.0002
scoring_system epss
scoring_elements 0.05397
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-8869
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8869
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8869
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip
5
reference_url https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a
6
reference_url https://github.com/pypa/pip/pull/13550
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T19:47:29Z/
url https://github.com/pypa/pip/pull/13550
7
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
8
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN
9
reference_url https://pip.pypa.io/en/stable/news/#v25-2
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://pip.pypa.io/en/stable/news/#v25-2
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116336
reference_id 1116336
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116336
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2397852
reference_id 2397852
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2397852
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-8869
reference_id CVE-2025-8869
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-8869
13
reference_url https://github.com/advisories/GHSA-4xh5-x5gv-qwph
reference_id GHSA-4xh5-x5gv-qwph
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4xh5-x5gv-qwph
14
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/
reference_id IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T19:47:29Z/
url https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/
fixed_packages
0
url pkg:pypi/pip@25.3
purl pkg:pypi/pip@25.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-etur-1aaz-9uf3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@25.3
aliases CVE-2025-8869, GHSA-4xh5-x5gv-qwph
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ecex-5hqz-9bbd
3
url VCID-etur-1aaz-9uf3
vulnerability_id VCID-etur-1aaz-9uf3
summary 
pip Path Traversal vulnerability
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1703.json
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1703.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1703
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.05935
published_at 2026-04-04T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06002
published_at 2026-04-09T12:55:00Z
2
value 0.00022
scoring_system epss
scoring_elements 0.05901
published_at 2026-04-02T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.05962
published_at 2026-04-08T12:55:00Z
4
value 0.00022
scoring_system epss
scoring_elements 0.05924
published_at 2026-04-07T12:55:00Z
5
value 0.00026
scoring_system epss
scoring_elements 0.07151
published_at 2026-04-12T12:55:00Z
6
value 0.00026
scoring_system epss
scoring_elements 0.07162
published_at 2026-04-11T12:55:00Z
7
value 0.00026
scoring_system epss
scoring_elements 0.07143
published_at 2026-04-13T12:55:00Z
8
value 0.00026
scoring_system epss
scoring_elements 0.07078
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1703
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1703
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1703
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip
5
reference_url https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
reference_id
reference_type
scores
0
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:21:09Z/
url https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
6
reference_url https://github.com/pypa/pip/pull/13777
reference_id
reference_type
scores
0
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:21:09Z/
url https://github.com/pypa/pip/pull/13777
7
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1703
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1703
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126875
reference_id 1126875
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126875
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436000
reference_id 2436000
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436000
11
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/
reference_id WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ
reference_type
scores
0
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:21:09Z/
url https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/
fixed_packages
0
url pkg:pypi/pip@26.0
purl pkg:pypi/pip@26.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@26.0
aliases CVE-2026-1703, GHSA-6vgw-5pg2-w6jp
risk_score 1.8
exploitability 0.5
weighted_severity 3.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-etur-1aaz-9uf3
4
url VCID-g6gg-vgks-xyeb
vulnerability_id VCID-g6gg-vgks-xyeb
summary 
When installing a package from a Mercurial VCS URL  (ie "pip install 
hg+...") with pip prior to v23.3, the specified Mercurial revision could
 be used to inject arbitrary configuration options to the "hg clone" 
call (ie "--config"). Controlling the Mercurial configuration can modify
 how and which repository is installed. This vulnerability does not 
affect users who aren't installing from Mercurial.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5752.json
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5752.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-5752
reference_id
reference_type
scores
0
value 0.00075
scoring_system epss
scoring_elements 0.22709
published_at 2026-04-02T12:55:00Z
1
value 0.00075
scoring_system epss
scoring_elements 0.22607
published_at 2026-04-16T12:55:00Z
2
value 0.00075
scoring_system epss
scoring_elements 0.22592
published_at 2026-04-13T12:55:00Z
3
value 0.00075
scoring_system epss
scoring_elements 0.22648
published_at 2026-04-12T12:55:00Z
4
value 0.00075
scoring_system epss
scoring_elements 0.22688
published_at 2026-04-11T12:55:00Z
5
value 0.00075
scoring_system epss
scoring_elements 0.22671
published_at 2026-04-09T12:55:00Z
6
value 0.00075
scoring_system epss
scoring_elements 0.22617
published_at 2026-04-08T12:55:00Z
7
value 0.00075
scoring_system epss
scoring_elements 0.22753
published_at 2026-04-04T12:55:00Z
8
value 0.00075
scoring_system epss
scoring_elements 0.2254
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-5752
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5752
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
5
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip
6
reference_url https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
7
reference_url https://github.com/pypa/pip/pull/12306
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://github.com/pypa/pip/pull/12306
8
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
14
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
15
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2250765
reference_id 2250765
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2250765
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/
reference_id 622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
reference_id 65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5752
reference_id CVE-2023-5752
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-5752
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
reference_id FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
21
reference_url https://github.com/advisories/GHSA-mq26-g339-26xf
reference_id GHSA-mq26-g339-26xf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mq26-g339-26xf
22
reference_url https://security.gentoo.org/glsa/202501-03
reference_id GLSA-202501-03
reference_type
scores
url https://security.gentoo.org/glsa/202501-03
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
reference_id KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
24
reference_url https://access.redhat.com/errata/RHSA-2024:3781
reference_id RHSA-2024:3781
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3781
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
reference_id YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T13:38:11Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
fixed_packages
0
url pkg:pypi/pip@23.3
purl pkg:pypi/pip@23.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ecex-5hqz-9bbd
1
vulnerability VCID-etur-1aaz-9uf3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@23.3
aliases CVE-2023-5752, GHSA-mq26-g339-26xf, PYSEC-2023-228
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g6gg-vgks-xyeb
5
url VCID-vrnn-n6vw-gygb
vulnerability_id VCID-vrnn-n6vw-gygb
summary The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20916.json
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20916.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-20916
reference_id
reference_type
scores
0
value 0.00622
scoring_system epss
scoring_elements 0.70083
published_at 2026-04-08T12:55:00Z
1
value 0.00622
scoring_system epss
scoring_elements 0.70035
published_at 2026-04-07T12:55:00Z
2
value 0.00622
scoring_system epss
scoring_elements 0.70058
published_at 2026-04-04T12:55:00Z
3
value 0.00622
scoring_system epss
scoring_elements 0.70043
published_at 2026-04-02T12:55:00Z
4
value 0.00622
scoring_system epss
scoring_elements 0.70138
published_at 2026-04-16T12:55:00Z
5
value 0.00622
scoring_system epss
scoring_elements 0.70095
published_at 2026-04-13T12:55:00Z
6
value 0.00622
scoring_system epss
scoring_elements 0.70108
published_at 2026-04-12T12:55:00Z
7
value 0.00622
scoring_system epss
scoring_elements 0.70122
published_at 2026-04-11T12:55:00Z
8
value 0.00622
scoring_system epss
scoring_elements 0.70099
published_at 2026-04-09T12:55:00Z
9
value 0.00622
scoring_system epss
scoring_elements 0.70031
published_at 2026-04-01T12:55:00Z
10
value 0.00622
scoring_system epss
scoring_elements 0.70148
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-20916
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/advisories/GHSA-gpvv-69j7-gwj8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-gpvv-69j7-gwj8
7
reference_url https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2020-173.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2020-173.yaml
9
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip
10
reference_url https://github.com/pypa/pip/compare/19.1.1...19.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip/compare/19.1.1...19.2
11
reference_url https://github.com/pypa/pip/issues/6413
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/pip/issues/6413
12
reference_url https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-20916
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-20916
14
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
15
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1868135
reference_id 1868135
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1868135
17
reference_url https://access.redhat.com/errata/RHSA-2020:4273
reference_id RHSA-2020:4273
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4273
18
reference_url https://access.redhat.com/errata/RHSA-2020:4285
reference_id RHSA-2020:4285
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4285
19
reference_url https://access.redhat.com/errata/RHSA-2020:4432
reference_id RHSA-2020:4432
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4432
20
reference_url https://access.redhat.com/errata/RHSA-2020:4654
reference_id RHSA-2020:4654
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4654
21
reference_url https://access.redhat.com/errata/RHSA-2022:5234
reference_id RHSA-2022:5234
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5234
22
reference_url https://usn.ubuntu.com/4601-1/
reference_id USN-4601-1
reference_type
scores
url https://usn.ubuntu.com/4601-1/
fixed_packages
0
url pkg:pypi/pip@19.2
purl pkg:pypi/pip@19.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-75s4-h132-6fe1
1
vulnerability VCID-ecex-5hqz-9bbd
2
vulnerability VCID-etur-1aaz-9uf3
3
vulnerability VCID-g6gg-vgks-xyeb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@19.2
aliases CVE-2019-20916, GHSA-gpvv-69j7-gwj8, PYSEC-2020-173
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vrnn-n6vw-gygb
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/pip@6.0.8