Path Traversal Vulnerability in Python's pkgutil Module
CVE-2026-3479

2.1LOW

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
18 March 2026

What is CVE-2026-3479?

The pkgutil.get_data() function in Python's CPython does not properly validate the resource argument, which can lead to path traversal vulnerabilities. This potentially allows an attacker to access files on the filesystem that should be restricted, compromising the security of applications that rely on this function. Developers are advised to update their implementations to include proper validation to prevent unauthorized file access.

Affected Version(s)

CPython 0 < 3.13.13

CPython 3.14.0 < 3.14.4

CPython 3.15.0a1 < 3.15.0a8

References

https://github.com/python/cpython/pull/146122
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/issues/146121
issue-tracking

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.