VDB
DEBIAN-CVE-2026-3479
DEBIAN-CVE-2026-3479
PUBLISHED
CVSS 9.300000190734863 CRITICAL
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | python3.13 | 3.13.9-1, 0, 3.13.11-1 |
| Debian:14 | python3.13 | 0, 3.13.9-1, 3.13.8-1 |
| Debian:11 | python2.7 | 2.7.18-13.2, 2.7.18-13.1~exp1, 2.7.18-13.1 |
| Debian:11 | pypy3 | 7.3.17+dfsg, 7.3.5+dfsg, 7.3.5+dfsg |
| Debian:13 | pypy3 | 7.3.21+dfsg, 7.3.21+dfsg, 7.3.21+dfsg |
| Debian:12 | pypy3 | 7.3.13+dfsg, *, 0 |
| Debian:12 | python3.11 | 3.11.6-1, 3.11.2-6, 3.11.2-6 |
| Debian:14 | pypy3 | 7.3.21+dfsg, 7.3.21+dfsg, 7.3.21+dfsg |
| Debian:14 | python3.14 | 0, 3.14.4-2, * |
| Debian:11 | python3.9 | 3.9.10-1, 3.9.10-2, 3.9.11-1 |
Exploit Intelligence
- rf-python3.11-dev_advisory.json (github-poc)
Timeline
- Mar 18, 2026 CVE Published
- Apr 28, 2026 CVE Updated