wheel-0.42.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.1) #86
Description
Vulnerable Library - wheel-0.42.0-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/c7/c3/55076fc728723ef927521abaa1955213d094933dc36d4a2008d5101e1af5/wheel-0.42.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 5703867cc506719d7029f4ab2cc3f15e2d4cae09
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (wheel version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-24049 |  High |
7.1 | wheel-0.42.0-py3-none-any.whl | Direct | 0.46.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-24049
Vulnerable Library - wheel-0.42.0-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/c7/c3/55076fc728723ef927521abaa1955213d094933dc36d4a2008d5101e1af5/wheel-0.42.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ wheel-0.42.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 5703867cc506719d7029f4ab2cc3f15e2d4cae09
Found in base branch: main
Vulnerability Details
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Publish Date: 2026-01-22
URL: CVE-2026-24049
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8rrh-rw8j-w5fx
Release Date: 2026-01-22
Fix Resolution: 0.46.2
Step up your Open Source Security Game with Mend here