Path Traversal Vulnerability in Python's pkgutil Module
CVE-2026-3479

2.1LOW

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
18 March 2026

What is CVE-2026-3479?

The pkgutil.get_data() function in Python's CPython does not properly validate the resource argument, which can lead to path traversal vulnerabilities. This potentially allows an attacker to access files on the filesystem that should be restricted, compromising the security of applications that rely on this function. Developers are advised to update their implementations to include proper validation to prevent unauthorized file access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/pull/146122
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/issues/146121
issue-tracking

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.