pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious module in that directory can be imported and executed instead of the intended package.
| Vendor | Product | Versions |
|---|---|---|
| pymanager | pymanager | 26.0 |
Updated severity to MEDIUM and marked the vulnerability as exploit available and actively exploited.
Updated vendor and product information, added affected version 26.0, and changed severity to HIGH.
Initial creation
