Vulnerability-Lookup

Search criteria ⓘ Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

Full-Text Search

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-78V8-VPJP-CJQH

Vulnerability from github – Published: 2026-06-10 20:33 – Updated: 2026-06-10 20:33

Summary

PDM wheel installation leads to Path Traversal via overridden write_to_fs

Details

InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path validation. A malicious wheel with traversal entries can write arbitrary files. Same class as Poetry CVE-2026-34591. Fix ready at: https://github.com/pdm-project/pdm/pull/3787.

Severity

7.1 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.22.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pdm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-10T20:33:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path validation. A malicious wheel with traversal entries can write arbitrary files. Same class as Poetry CVE-2026-34591. Fix ready at: https://github.com/pdm-project/pdm/pull/3787.",
  "id": "GHSA-78v8-vpjp-cjqh",
  "modified": "2026-06-10T20:33:13Z",
  "published": "2026-06-10T20:33:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pdm-project/pdm/security/advisories/GHSA-78v8-vpjp-cjqh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pdm-project/pdm/pull/3787"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pdm-project/pdm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pdm-project/pdm/releases/tag/2.27.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PDM  wheel installation leads to Path Traversal via overridden write_to_fs"
}

Search criteria ⓘ Use this form to refine search results. Full-text search supports keyword queries with ranking and filtering. You can combine vendor, product, and sources to narrow results. Enable “Apply ordering” to sort by date instead of relevance.

Related vulnerabilities

GHSA-78V8-VPJP-CJQH

Search criteria ⓘ Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.