VDB
KO

PYSEC-2026-666

Mercurial Directory traversal vulnerability

Details

Directory traversal vulnerability in patch.py in Mercurial before 1.0.2 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mercurial
Introduced in: 0 Fixed in: 1.0.2
Fix pip install --upgrade 'mercurial>=1.0.2'

References