Every CVE whose affected-product data names Pypa Pip, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2018-20225 — CVSS 7.8 (high): An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had…
CVE-2019-20916 — CVSS 7.5 (high): The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition…
CVE-2013-1629 — CVSS 6.8 (medium): pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which…
CVE-2013-5123 — CVSS 5.9 (medium): The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows…
CVE-2021-3572 — CVSS 5.7 (medium): A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue…
CVE-2023-5752 — CVSS 5.5 (medium): When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision…
CVE-2026-8643 — CVSS 5.5 (medium): pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the…
CVE-2014-8991 — CVSS 2.1 (low): pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-*…
CVE-2013-1888 — CVSS 2.1 (low): pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.