[CVE-2026-3479] Documented `pkgutil.get_data()` restrictions are not enforced #146121

Open

Assignees

Labels

3.103.113.123.133.143.15stdlibtype-security

StanFromIreland

opened

on Mar 18, 2026

Please see PR for more information.

The PSRT has decided to treat this as a security issue since this was a documented restriction.

Linked PRs

gh-146121: pkgutil.get_data() reject invalid resource arguments #146122
[3.14] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146133
[3.13] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146134
[3.12] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146135
[3.11] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146136
[3.10] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146137

Metadata

Assignees

StanFromIreland

Labels

3.103.113.123.133.143.15stdlibtype-security

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests