CVE-2026-5271

UNKNOWN 0.0

Possible to hijack modules in current working directory

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious module in that directory can be imported and executed instead of the intended package.

Vendor	python software foundation
Product	pymanager
Published	Apr 1, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for python software foundation pymanager

Be the first to know when new unknown vulnerabilities affecting python software foundation pymanager are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Software Foundation / pymanager

26.0 < 26.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/01/5

Credits

Steve Dower 🔍 LAKSHMIKANTHAN K