Main Vulnerability Database SB2026040996

SB2026040996 - Path traversal in uv

Published: April 9, 2026

Security Bulletin ID SB2026040996

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote attacker to write files outside the intended installation prefix.

The vulnerability exists due to path traversal in tar extraction when processing a specially crafted source distribution with a sequence of symlinks. A remote attacker can provide a specially crafted source distribution to write files outside the intended installation prefix.

Only source distribution installations are affected; wheel installations are not affected.

Remediation

Install update from vendor's website.

References

https://github.com/astral-sh/uv/security/advisories/GHSA-7j9j-68r2-f35q
https://github.com/advisories/GHSA-7j9j-68r2-f35q