VulnerableCode Package Details - pkg:pypi/guarddog@2.7.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6d6h-j39n-23gt Aliases: CVE-2026-22871 GHSA-xg9w-vg3g-6m68	GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.	2.7.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-pbvs-jzwd-nfd6 Aliases: CVE-2026-44971 GHSA-587r-mc96-6f2p	GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in .	2.10.0 Affected by 0 other vulnerabilities.
VCID-rkn6-perp-wkf6 Aliases: CVE-2026-44972 GHSA-m5p4-gvpx-4mvr	GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.	2.10.0 Affected by 0 other vulnerabilities.
VCID-rzy2-bwm9-n3hw Aliases: CVE-2026-22870 GHSA-ffj4-jq7m-9g6v	GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.	2.7.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6d6h-j39n-23gt
Aliases:
CVE-2026-22871
GHSA-xg9w-vg3g-6m68

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.

2.7.1
Affected by 2 other vulnerabilities.

VCID-pbvs-jzwd-nfd6
Aliases:
CVE-2026-44971
GHSA-587r-mc96-6f2p

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in .

2.10.0
Affected by 0 other vulnerabilities.

VCID-rkn6-perp-wkf6
Aliases:
CVE-2026-44972
GHSA-m5p4-gvpx-4mvr

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.

2.10.0
Affected by 0 other vulnerabilities.

VCID-rzy2-bwm9-n3hw
Aliases:
CVE-2026-22870
GHSA-ffj4-jq7m-9g6v

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.

2.7.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:26:41.039539+00:00	GitLab Importer	Affected by	VCID-pbvs-jzwd-nfd6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/guarddog/CVE-2026-44971.yml	38.6.0
2026-06-12T22:25:38.805068+00:00	GitLab Importer	Affected by	VCID-rkn6-perp-wkf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/guarddog/CVE-2026-44972.yml	38.6.0
2026-06-12T20:46:58.765581+00:00	GitLab Importer	Affected by	VCID-6d6h-j39n-23gt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/guarddog/CVE-2026-22871.yml	38.6.0
2026-06-12T20:45:47.131742+00:00	GitLab Importer	Affected by	VCID-rzy2-bwm9-n3hw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/guarddog/CVE-2026-22870.yml	38.6.0