VulnerableCode Package Details - pkg:deb/debian/python-virtualenv@20.4.0%2Bds-2%2Bdeb11u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-f185-g69j-yyhp Aliases: BIT-virtualenv-2024-53899 CVE-2024-53899 GHSA-rqc4-2hc7-8c8v PYSEC-2024-187	virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.	20.31.2+ds-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wa8m-cxrq-87bn Aliases: CVE-2026-22702 GHSA-597g-3phw-6986	virtualenv Has TOCTOU Vulnerabilities in Directory Creation TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. Affected versions: All versions up to and including 20.36.1 Affected users: Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location. Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations	21.3.1+ds-1 Affected by 0 other vulnerabilities. 21.4.1+ds-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-f185-g69j-yyhp
Aliases:
BIT-virtualenv-2024-53899
CVE-2024-53899
GHSA-rqc4-2hc7-8c8v
PYSEC-2024-187

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

20.31.2+ds-1
Affected by 1 other vulnerability.

VCID-wa8m-cxrq-87bn
Aliases:
CVE-2026-22702
GHSA-597g-3phw-6986

virtualenv Has TOCTOU Vulnerabilities in Directory Creation TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. **Affected versions:** All versions up to and including 20.36.1 **Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location. **Attack scenarios:** - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations

21.3.1+ds-1
Affected by 0 other vulnerabilities.

21.4.1+ds-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T19:23:46.403503+00:00	Debian Importer	Affected by	VCID-wa8m-cxrq-87bn	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:10:37.528381+00:00	Debian Importer	Affected by	VCID-f185-g69j-yyhp	https://security-tracker.debian.org/tracker/data/json	38.6.0

2026-06-05T19:23:46.403503+00:00

Debian Importer

Affected by

VCID-wa8m-cxrq-87bn

https://security-tracker.debian.org/tracker/data/json

38.6.0

2026-06-05T19:10:37.528381+00:00

Debian Importer

Affected by

VCID-f185-g69j-yyhp

https://security-tracker.debian.org/tracker/data/json

38.6.0

Next non-vulnerable version	21.4.1+ds-1
Latest non-vulnerable version	21.4.1+ds-1
Risk	4.4