CVE-2026-3479

N/A Unknown

Published: March 18, 2026 Modified: April 07, 2026

Description

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe

Source: cna@python.org

https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7

Source: cna@python.org

https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943

Source: cna@python.org

https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c

Source: cna@python.org

https://github.com/python/cpython/issues/146121

Source: cna@python.org

https://github.com/python/cpython/pull/146122

Source: cna@python.org

https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/

Source: cna@python.org

7 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

0.0%

3th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-22

Related CVEs

CVE-2026-4049 N/A

CVE-2026-41455 8.5

CVE-2026-41454 8.3

CVE-2026-41314 N/A

CVE-2026-41313 N/A