—
PYSEC-2026-622
Cheetah Path Search Order Hijacking
Details
Cheetah 0.9.15 and 0.9.16 searches the `/tmp` directory for modules before using the paths in the `PYTHONPATH` variable, which allows local users to execute arbitrary code via a malicious module in `/tmp/`.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / cheetah
Introduced in:
0.9.15 No fixed version published yet for cheetah (pip). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2005-1632 [ADVISORY]
- https://github.com/cheetahtemplate/cheetah [PACKAGE]
- https://web.archive.org/web/20050430021153/http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=1542 [WEB]
- https://pypi.org/project/cheetah [PACKAGE]
- https://github.com/advisories/GHSA-vxf2-7rc3-pxmx [ADVISORY]