pdm

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting pdmpage 1 of 1

CVE-2023-45805HIGHCVSS 7.8EG 7.8
2023-10-20
vulnerable: 0.0.0 ... 2.9.3 (176 versions)
pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyP…
CVE-2026-47763MEDIUMCVSS 0.0EG 0.0✓ Fixed in 2.27.0
2026-06-10
vulnerable: 0.0.0 ... 2.9.3 (247 versions)
PDM: Project-Local State and Config Writes Follow Symlinks ## Summary PDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operation…
CVE-2026-47764HIGHCVSS 0.0EG 0.0✓ Fixed in 2.27.0
2026-06-10
vulnerable: 0.0.0 ... 2.9.3 (247 versions)
PDM wheel installation leads to Path Traversal via overridden write_to_fs InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_dest…
CVE-2026-47781HIGHCVSS 0.0EG 0.0✓ Fixed in 2.27.0
2026-06-11
vulnerable: 0.0.0 ... 2.9.3 (247 versions)
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing ## Summary PDM automatically loads project-local plugin paths from `.pdm-plugins` during `Core` initialization. Because this path is added via `site.addsitedir()`…

Check whether pdm is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pdm CVEs against the assets you own.

Start Free Scan →