Description
PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/pyvista/pyvista/security/advisories/GHSA-xr7f-qcjc-63rv
Patch x_refsource_misc
https://github.com/pyvista/pyvista/commit/aabfb3db2b0d4980de9e94e66272240efba4ed95
Various Sources x_refsource_misc
https://github.com/pyvista/pyvista/blob/c96e1ddbe707fb7d3eb574dc3336de1a946f14a1/.devcontainer/offscreen/oncreatecommand.sh#L4
Various Sources x_refsource_misc
https://github.com/pyvista/pyvista/blob/c96e1ddbe707fb7d3eb574dc3336de1a946f14a1/docker/slim.Dockerfile#L13
Scores
CVSS v4
9.3
EPSS
0.0057
EPSS Percentile
68.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
pyvista/pyvista
= 0.46.3
Published
Oct 06, 2025
Tracked Since
Feb 18, 2026