Vulnerable Library - wheel-0.45.1-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/0b/2c/87f3254fd8ffd29e4c02732eee68a83a1d3c346ae39bc6822dcbcb697f2b/wheel-0.45.1-py3-none-any.whl
Path to dependency file: /test_requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250921182043_LPXROH/python_OMWQYE/20250921182044/wheel-0.45.1-py3-none-any.whl
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (wheel version) |
Remediation Possible** |
Reachability |
| CVE-2026-24049 |
 High |
7.1 |
Not Defined |
0.0% |
wheel-0.45.1-py3-none-any.whl |
Direct |
0.46.2 |
✅ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-24049
Vulnerable Library - wheel-0.45.1-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/0b/2c/87f3254fd8ffd29e4c02732eee68a83a1d3c346ae39bc6822dcbcb697f2b/wheel-0.45.1-py3-none-any.whl
Path to dependency file: /test_requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250921182043_LPXROH/python_OMWQYE/20250921182044/wheel-0.45.1-py3-none-any.whl
Dependency Hierarchy:
- ❌ wheel-0.45.1-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Publish Date: 2026-01-22
URL: CVE-2026-24049
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8rrh-rw8j-w5fx
Release Date: 2026-01-22
Fix Resolution: 0.46.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/0b/2c/87f3254fd8ffd29e4c02732eee68a83a1d3c346ae39bc6822dcbcb697f2b/wheel-0.45.1-py3-none-any.whl
Path to dependency file: /test_requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250921182043_LPXROH/python_OMWQYE/20250921182044/wheel-0.45.1-py3-none-any.whl
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - wheel-0.45.1-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/0b/2c/87f3254fd8ffd29e4c02732eee68a83a1d3c346ae39bc6822dcbcb697f2b/wheel-0.45.1-py3-none-any.whl
Path to dependency file: /test_requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250921182043_LPXROH/python_OMWQYE/20250921182044/wheel-0.45.1-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Publish Date: 2026-01-22
URL: CVE-2026-24049
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8rrh-rw8j-w5fx
Release Date: 2026-01-22
Fix Resolution: 0.46.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules