VDB
KO

PYSEC-2026-622

Cheetah Path Search Order Hijacking

Details

Cheetah 0.9.15 and 0.9.16 searches the `/tmp` directory for modules before using the paths in the `PYTHONPATH` variable, which allows local users to execute arbitrary code via a malicious module in `/tmp/`.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / cheetah
Introduced in: 0.9.15

No fixed version published yet for cheetah (pip). Pin to a known-safe version or switch to an alternative.

References