Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-3479

created 3 days, 22 hours ago

pkgutil.get_data() does not enforce documented restrictions

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

References

https://github.com/python/cpython/pull/146122 patch
https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLV… vendor-advisory
https://github.com/python/cpython/issues/146121 issue-tracking

Affected products

CPython

<3.15.0

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0
nixos-25.11 3.9.0
- nixos-25.11-small 3.9.0
- nixpkgs-25.11-darwin 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>