FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2026-01-24 11:07:55 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
65439aa0-f77d-11f0-9821-b0416f0c4c67	wheel -- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports: wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. Discovery 2026-01-22 Entry 2026-01-22 py310-wheel py311-wheel py312-wheel py313-wheel py313t-wheel py314-wheel < 0.46.2 CVE-2026-24049 https://cveawg.mitre.org/api/cve/CVE-2026-24049

VuXML ID

Description

65439aa0-f77d-11f0-9821-b0416f0c4c67

wheel -- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Discovery 2026-01-22
Entry 2026-01-22
py310-wheel
py311-wheel
py312-wheel
py313-wheel
py313t-wheel
py314-wheel

< 0.46.2

CVE-2026-24049
https://cveawg.mitre.org/api/cve/CVE-2026-24049