{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T21:16:52.814","vulnerabilities":[{"cve":{"id":"CVE-2026-24049","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T05:16:23.157","lastModified":"2026-02-18T14:56:48.657","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2."},{"lang":"es","value":"wheel es una herramienta de línea de comandos para manipular archivos wheel de Python, según se define en PEP 427. En las versiones 0.40.0 a 0.46.1, la función unpack es vulnerable a la modificación de permisos de archivos debido a un manejo incorrecto de los permisos de archivos después de la extracción. La lógica confía ciegamente en el nombre de archivo del encabezado del archivo comprimido para la operación chmod, a pesar de que el propio proceso de extracción podría haber saneado la ruta. Los atacantes pueden crear un archivo wheel malicioso que, al ser descomprimido, cambia los permisos de archivos críticos del sistema (por ejemplo, /etc /passwd, claves SSH, archivos de configuración), permitiendo la escalada de privilegios o la ejecución de código arbitrario al modificar scripts ahora escribibles. Este problema ha sido solucionado en la versión 0.46.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-732"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wheel_project:wheel:*:*:*:*:*:python:*:*","versionStartIncluding":"0.40.0","versionEndExcluding":"0.46.2","matchCriteriaId":"977849BE-E1EA-4B60-AF30-9C248A8B9635"}]}]}],"references":[{"url":"https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/pypa/wheel/releases/tag/0.46.2","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}