PyPI / uv

uv is vulnerable to arbitrary file write through entry point names

Modified: 5/29/2026

uv allows ZIP payload obfuscation through parsing differentials

Modified: 8/8/2025

uv vulnerable to arbitrary file deletion through RECORD entries

Modified: 4/22/2026

uv allows ZIP payload obfuscation through parsing differentials

Modified: 3/4/2026

uv has differential in tar extraction with PAX headers

Modified: 2/4/2026