What is GHSA-78v8-vpjp-cjqh?

GHSA-78v8-vpjp-cjqh is a security advisory published by GitHub Security Advisories with High severity. PDM wheel installation leads to Path Traversal via overridden write_to_fs

Which CVE IDs does GHSA-78v8-vpjp-cjqh cover?

GHSA-78v8-vpjp-cjqh covers the following CVE IDs: CVE-2026-47764. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-78v8-vpjp-cjqh?

GHSA-78v8-vpjp-cjqh affects 1 product, including: pip/pdm:\u003c= 2.22.4.

GHSA-78v8-vpjp-cjqhHigh

PDM wheel installation leads to Path Traversal via overridden write_to_fs

Vendor

GitHub Security Advisories

Published

June 10, 2026

Last Modified

June 10, 2026

🔗 CVE IDs covered (1)

CVE-2026-47764 →

📋 Description

InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path validation. A malicious wheel with traversal entries can write arbitrary files. Same class as Poetry CVE-2026-34591. Fix ready at: https://github.com/pdm-project/pdm/pull/3787.

🎯 Affected products1

pip/pdm:<= 2.22.4

🔗 References (4)

https://github.com/pdm-project/pdm/security/advisories/GHSA-78v8-vpjp-cjqh
https://github.com/pdm-project/pdm/pull/3787
https://github.com/pdm-project/pdm/releases/tag/2.27.0
https://github.com/advisories/GHSA-78v8-vpjp-cjqh