{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5271", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-03-31T20:02:35.393Z", "datePublished": "2026-04-01T13:48:07.534Z", "dateUpdated": "2026-04-01T23:12:18.741Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "pymanager", "repo": "https://github.com/python/pymanager", "vendor": "Python Software Foundation", "versions": [{"lessThan": "26.1", "status": "affected", "version": "26.0", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Steve Dower"}, {"lang": "en", "type": "reporter", "value": "LAKSHMIKANTHAN K"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory.&nbsp;As a result, if a user executes a pymanager-generated command (e.g., <code>pip</code>, <code>pytest</code>)\n from an attacker-controlled directory, a malicious module in that \ndirectory can be imported and executed instead of the intended package."}], "value": "pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory.\u00a0As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)\n from an attacker-controlled directory, a malicious module in that \ndirectory can be imported and executed instead of the intended package."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-01T15:38:55.523Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6"}], "source": {"discovery": "UNKNOWN"}, "title": "Possible to hijack modules in current working directory", "x_generator": {"engine": "Vulnogram 0.6.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-427", "lang": "en", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "references": [{"url": "https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:58:52.079116Z", "id": "CVE-2026-5271", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:58:58.338Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/01/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-01T23:12:18.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/01/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-01T23:12:18.741Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5271", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T17:58:52.079116Z"}}}], "references": [{"url": "https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:57:50.666Z"}}], "cna": {"title": "Possible to hijack modules in current working directory", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "remediation developer", "value": "Steve Dower"}, {"lang": "en", "type": "reporter", "value": "LAKSHMIKANTHAN K"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/pymanager", "vendor": "Python Software Foundation", "product": "pymanager", "versions": [{"status": "affected", "version": "26.0", "lessThan": "26.1", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.6.0"}, "descriptions": [{"lang": "en", "value": "pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory.\u00a0As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)\n from an attacker-controlled directory, a malicious module in that \ndirectory can be imported and executed instead of the intended package.", "supportingMedia": [{"type": "text/html", "value": "pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory.&nbsp;As a result, if a user executes a pymanager-generated command (e.g., <code>pip</code>, <code>pytest</code>)\n from an attacker-controlled directory, a malicious module in that \ndirectory can be imported and executed instead of the intended package.", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-01T15:38:55.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5271", "state": "PUBLISHED", "dateUpdated": "2026-04-01T23:12:18.741Z", "dateReserved": "2026-03-31T20:02:35.393Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-04-01T13:48:07.534Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pymanager:26.0:*:*:*:*:*:*:*", "matchCriteriaId": "E4A6769E-1941-4B8E-8D05-6AADC5C52051", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory.\u00a0As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)\n from an attacker-controlled directory, a malicious module in that \ndirectory can be imported and executed instead of the intended package."}], "id": "CVE-2026-5271", "lastModified": "2026-04-07T19:43:28.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-04-01T14:16:59.343", "references": [{"source": "cna@python.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/01/5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[26.0,26.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "pymanager", "vendor": "python"}], "analysis": {"en": {"generated_at": "2026-04-07T23:39:10.063674+00:00", "value": {"mitigation_remediation": ["Upgrade pymanager to a version where the issue is resolved.", "If an upgrade is not immediately possible, run pymanager commands from a directory that is not under attacker control or change to a safe directory before execution.", "Adjust PYTHONPATH to exclude the current working directory so that local modules are not considered during import."], "summary": {"action": "Apply patch", "impact": "Malicious module import leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Python Software Foundation\u2019s pymanager, specifically version 26.0 and earlier releases. Any installation of these versions that may be invoked from an untrusted working directory is at risk. Administrators should verify the version of pymanager in use and consider the impact if the tool is executed in directories that may be controlled by untrusted parties.", "description_and_impact": "pymanager adds the current working directory to the Python import path, allowing a local file with the same name as a legitimate module to shadow the intended package. When a user runs a pymanager\u2011generated command such as pip or pytest from an attacker\u2011controlled directory, the malicious module can be imported and executed under the user\u2019s privileges. This represents an arbitrary code execution risk and is classified under CWE\u2011427 (Uncontrolled Search Path Elements).", "risk_and_exploitability": "The CVSS score of 5.6 indicates moderate damage potential, while an EPSS score of less than 1% suggests the vulnerability is currently unlikely to be exploited widely. The vulnerability is not listed in the CISA KEV catalog and no public exploit has been documented. Exploitation requires the attacker to have write access to the working directory and to trigger a pymanager command while executing from that location. The attack can execute arbitrary code with the privileges of the user launching the command. The risk is thus primarily confined to environments where pymanager is run from directories that can be influenced by external or third\u2011party input."}}}}, "created": "2026-04-02T07:49:09.245412+00:00", "updated": "2026-04-08T19:57:10.428534+00:00", "vendors": ["python", "python$PRODUCT$pymanager"]}