anonhaven
Ad

CVE-2026-5271

MEDIUM CVSS 4.0: 5.6 EPSS 0.01%
Updated Apr 07, 2026
Python
Parameter Value
CVSS 5.6 (MEDIUM)
Type CWE-427 (Uncontrolled Search Path Element)
Vendor Python
Public PoC No

pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious module in that directory can be imported and executed instead of the intended package.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
Active
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-427 Uncontrolled Search Path Element

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Python Pymanager
cpe:2.3:a:python:pymanager:26.0:*:*:*:*:*:*:*

References 2

https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6
cna@python.org
http://www.openwall.com/lists/oss-security/2026/04/01/5
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25645

Python

5.5

CVE-2026-32274

Python

8.7

CVE-2026-31900

GitHub

8.7

CVE-2026-21441

Python

8.9