Multiple vulnerabilities have been found in python-pip, the Python package installer.
CVE-2023-5752
When installing a package from a Mercurial VCS URL, arbitrary configuration options could be injected to the "hg clone" call.
CVE-2025-8869
Pip's tar extraction doesn't check that symbolic links point to the extraction directory.
20.3.4-4+deb11u2