CVE-2026-3479 NONE

CVE-2026-3479: pkgutil.get_data() does not enforce documented restrictions

Vendor Python Software Foundation
Product CPython
Published March 18, 2026
Last update April 7, 2026

CVSS base score

0.0/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Key dates

02Disclosure timeline

March 18, 2026 CVE published
April 7, 2026 Record updated