CVE-2026-41140
Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4. This vulnerability is fixed in 2.3.4.
| CWE | CWE-22 |
| Vendor | python-poetry |
| Product | poetry |
| Published | Apr 24, 2026 |
| Last Updated | Apr 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for python-poetry poetry
Be the first to know when new unknown vulnerabilities affecting python-poetry poetry are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
python-poetry / poetry
< 2.3.4