CVE-2025-13327 MEDIUM

CVE-2025-13327: Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials

Vendor Astral-Sh
Product uv
Weakness CWE-1286
Published February 27, 2026
Last update March 18, 2026

CVSS base score

6.3/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 18, 2026 Record updated