VulnerableCode Package Details

Search for packages

Vulnerability	Summary	Fixed by
VCID-fnwn-t9tv-vyg5 Aliases: CVE-2021-3572 GHSA-5xp3-jfq3-5q8x PYSEC-2021-437	A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.	21.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-gf5x-x4hk-eqft Aliases: CVE-2019-20916 GHSA-gpvv-69j7-gwj8 PYSEC-2020-173	The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.	19.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-j8ag-5x6a-sqfx Aliases: PYSEC-2020-192	The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.	19.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-kfvm-38cs-13h3 Aliases: CVE-2023-5752 GHSA-mq26-g339-26xf PYSEC-2023-228	When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.	23.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fnwn-t9tv-vyg5
Aliases:
CVE-2021-3572
GHSA-5xp3-jfq3-5q8x
PYSEC-2021-437

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

21.1
Affected by 1 other vulnerability.

VCID-gf5x-x4hk-eqft
Aliases:
CVE-2019-20916
GHSA-gpvv-69j7-gwj8
PYSEC-2020-173

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

19.2
Affected by 2 other vulnerabilities.

VCID-j8ag-5x6a-sqfx
Aliases:
PYSEC-2020-192

19.2
Affected by 2 other vulnerabilities.

VCID-kfvm-38cs-13h3
Aliases:
CVE-2023-5752
GHSA-mq26-g339-26xf
PYSEC-2023-228

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

23.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-aw56-2fxb-nye4	pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.	CVE-2014-8991 GHSA-53mr-44pp-crf4 PYSEC-2014-11

Vulnerability

Summary

Aliases

VCID-aw56-2fxb-nye4

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

CVE-2014-8991
GHSA-53mr-44pp-crf4
PYSEC-2014-11

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-29T17:32:23.350356+00:00	GitLab Importer	Fixing	VCID-aw56-2fxb-nye4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pip/CVE-2014-8991.yml	38.6.0
2026-05-29T16:41:18.341468+00:00	PyPI Importer	Affected by	VCID-kfvm-38cs-13h3	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-29T16:39:40.630558+00:00	PyPI Importer	Affected by	VCID-fnwn-t9tv-vyg5	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-29T16:35:14.343234+00:00	PyPI Importer	Affected by	VCID-j8ag-5x6a-sqfx	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-29T16:35:14.189616+00:00	PyPI Importer	Affected by	VCID-gf5x-x4hk-eqft	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-29T16:33:25.170231+00:00	PyPI Importer	Fixing	VCID-aw56-2fxb-nye4	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-29T14:26:53.171062+00:00	GHSA Importer	Fixing	VCID-aw56-2fxb-nye4	https://github.com/advisories/GHSA-53mr-44pp-crf4	38.6.0
2026-05-29T09:36:13.514209+00:00	GithubOSV Importer	Fixing	VCID-aw56-2fxb-nye4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-53mr-44pp-crf4/GHSA-53mr-44pp-crf4.json	38.6.0
2026-05-29T08:45:24.533530+00:00	Pypa Importer	Affected by	VCID-kfvm-38cs-13h3	https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2023-228.yaml	38.6.0
2026-05-29T08:43:09.774215+00:00	Pypa Importer	Affected by	VCID-fnwn-t9tv-vyg5	https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2021-437.yaml	38.6.0
2026-05-29T08:34:33.869492+00:00	Pypa Importer	Affected by	VCID-gf5x-x4hk-eqft	https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2020-173.yaml	38.6.0
2026-05-29T08:31:33.066058+00:00	Pypa Importer	Fixing	VCID-aw56-2fxb-nye4	https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2014-11.yaml	38.6.0