Main Vulnerability Database SB2026040998

SB2026040998 - Path traversal in uv

Published: April 9, 2026

Security Bulletin ID SB2026040998

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to improper path restriction in RECORD entry handling when uninstalling a wheel with crafted relative paths. A remote user can provide a specially crafted wheel to delete arbitrary files.

User interaction is required to install and later uninstall the malformed wheel. Only files can be deleted, and the crafted RECORD entries must be manually manipulated to traverse outside the installation prefix.

Remediation

Install update from vendor's website.

References

https://github.com/astral-sh/uv/security/advisories/GHSA-pjjw-68hj-v9mw
https://github.com/advisories/GHSA-pjjw-68hj-v9mw