CVE-2026-47763: PDM: Project-Local State and Config Writes Follow Symlinks

June 10, 2026

PDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operations can overwrite the symlink targets.

This creates an arbitrary file clobber primitive relative to the privileges of the invoking user.

References

github.com/advisories/GHSA-ghq2-5c67-fprm
github.com/pdm-project/pdm/releases/tag/2.27.0
github.com/pdm-project/pdm/security/advisories/GHSA-ghq2-5c67-fprm
nvd.nist.gov/vuln/detail/CVE-2026-47763

Code Behaviors & Features

Detect and mitigate CVE-2026-47763 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →