{"id":"CVE-2024-53899","details":"virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.","aliases":["BIT-virtualenv-2024-53899","GHSA-rqc4-2hc7-8c8v","PYSEC-2024-187"],"modified":"2026-03-12T14:39:51.724150Z","published":"2024-11-24T16:15:06.647Z","related":["ALSA-2024:10953","CGA-hwhg-wr6c-6rj8","SUSE-SU-2024:4093-1","SUSE-SU-2024:4143-1"],"references":[{"type":"ADVISORY","url":"https://github.com/pypa/virtualenv/releases/tag/20.26.6"},{"type":"FIX","url":"https://github.com/pypa/virtualenv/pull/2771"},{"type":"EVIDENCE","url":"https://github.com/pypa/virtualenv/issues/2768"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pypa/virtualenv","events":[{"introduced":"0"},{"fixed":"ec04726d065372ffad9920998aef1ce41252a61d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"20.26.6"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53899.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}