Skip to content

wheel-0.38.4-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.1) #95

New issue
New issue
Open
Open
wheel-0.38.4-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.1)#95
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jan 22, 2026
Vulnerable Library - wheel-0.38.4-py3-none-any.whl

A built-package format for Python

Library home page: https://files.pythonhosted.org/packages/bd/7c/d38a0b30ce22fc26ed7dbc087c6d00851fb3395e9d0dac40bec1f905030c/wheel-0.38.4-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis

Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis

Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (wheel version) Remediation Possible**
CVE-2026-24049 High 7.1 wheel-0.38.4-py3-none-any.whl Direct 0.46.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-24049

Vulnerable Library - wheel-0.38.4-py3-none-any.whl

A built-package format for Python

Library home page: https://files.pythonhosted.org/packages/bd/7c/d38a0b30ce22fc26ed7dbc087c6d00851fb3395e9d0dac40bec1f905030c/wheel-0.38.4-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis

Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis

Dependency Hierarchy:

  • wheel-0.38.4-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75

Found in base branch: master

Vulnerability Details

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Publish Date: 2026-01-22

URL: CVE-2026-24049

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8rrh-rw8j-w5fx

Release Date: 2026-01-22

Fix Resolution: 0.46.2

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions