CVE-2026-3479 | THREATINT

Description

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-18 | Updated 2026-04-07 | Assigner PSF

Product status

Default status

unaffected

Any version before 3.13.13

affected

3.14.0 (python) before 3.14.4

affected

3.15.0a1 (python) before 3.15.0a8

affected

References

github.com/python/cpython/pull/146122 patch

mail.python.org/.../thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/ vendor-advisory

github.com/python/cpython/issues/146121 issue-tracking

github.com/...ommit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7 patch

github.com/...ommit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe patch

github.com/...ommit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943 patch

github.com/...ommit/d786d59a8f7196bb630100a869f28ad13436b59c patch

cve.org (CVE-2026-3479)

nvd.nist.gov (CVE-2026-3479)

Download JSON

help @ threatint.eu