FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

virtualenv -- CWE-59: Improper Link Resolution Before File Access ('Link Following')

Affected packages
py310-virtualenv < 20.36.1
py311-virtualenv < 20.36.1
py312-virtualenv < 20.36.1
py313-virtualenv < 20.36.1
py313t-virtualenv < 20.36.1
py314-virtualenv < 20.36.1

Details

VuXML ID fd3855b8-efbc-11f0-9e3f-b0416f0c4c67
Discovery 2026-01-10
Entry 2026-01-12

https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

[source]

References

CVE Name CVE-2026-22702
URL https://cveawg.mitre.org/api/cve/CVE-2026-22702

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.