CVE-2026-5271

HighPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5271 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Python Pymanager. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Path Interception by Search Order Hijacking (T1574.008). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediates the flaw in pymanager by applying available patches that prevent inclusion of the current working directory in sys.path, stopping module shadowing attacks.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies CVE-2026-5271 in pymanager deployments, enabling timely detection and patching of the untrusted search path issue.

SI-5 Security Alerts, Advisories, and Directives good match

detect

Monitors and responds to security advisories like the GitHub GHSA and OSS-Security postings specific to this pymanager vulnerability, facilitating proactive mitigation.

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables path interception by search order hijacking (T1574.008) via inclusion of the current working directory in sys.path, allowing malicious Python modules to shadow legitimate ones and execute arbitrary code when pymanager commands are run from an attacker-controlled directory.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious module…

in that directory can be imported and executed instead of the intended package.

Deeper analysisAI

CVE-2026-5271 is a vulnerability in pymanager, a Python tool, published on 2026-04-01. The issue arises because pymanager includes the current working directory in sys.path, enabling modules in that directory to shadow legitimate modules from intended packages. This affects execution of pymanager-generated commands, such as pip or pytest, when run from a directory containing malicious modules. The vulnerability is classified under CWE-427 (Untrusted Search Path) with a CVSS v3.1 base score of 7.8 (High; AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An unprivileged local attacker can exploit this by controlling a directory and convincing a user to execute a pymanager-generated command from it, such as through social engineering or misleading file placement. Upon execution, Python imports the malicious module instead of the legitimate one, allowing arbitrary code execution with high impacts on confidentiality, integrity, and availability.

Advisories providing mitigation guidance and patches are available in the GitHub security advisory for pymanager at https://github.com/python/pymanager/security/advisories/GHSA-jr5x-hgm4-rrm6 and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/04/01/5.