EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the pdm package, affecting versions <= 2.22.4, which can lead to path traversal vulnerabilities, allowing attackers to write arbitrary files. The overall vulnerability type is a path traversal vulnerability, which can result in remote code execution or data tampering. This poses a significant business risk and impact, as it can compromise the security and integrity of systems and data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the pdm package, affecting versions <= 2.22.4, which can lead to path traversal vulnerabilities, allowing attackers to write arbitrary files. The overall vulnerability type is a path traversal vulnerability, which can result in remote code execution or data tampering. This poses a significant business risk and impact, as it can compromise the security and integrity of systems and data.[emaillocker id="1283"]
CVE-2026-47764 with a CVSS score of 7.1 – This vulnerability is a path traversal vulnerability that can be exploited by a malicious wheel with traversal entries, allowing attackers to write arbitrary files. The vulnerability is due to the lack of path validation in the InstallDestination.write_to_fs() method.
The overall risk and urgency of these vulnerabilities are high, as they can be exploited to compromise the security and integrity of systems and data. If exploited, these vulnerabilities can result in significant business consequences, including data breaches and system compromises. The potential impact of these vulnerabilities highlights the need for immediate attention and action to protect against potential threats.
RECOMMENDATION:
We recommend you to update pdm to version 2.27.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-78v8-vpjp-cjqh