Is compliance-trestle affected by CVE-2026-45725?

PyPI compliance-trestle is affected in >=4.0.0 <4.0.3, <3.12.2.

Is CVE-2026-45725 being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

high

CVE-2026-45725

Q: Is CVE-2026-45725 being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

PyPI · compliance-trestle

Summary

compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal

Severity: high
Also known as: GHSA-g3vg-vx23-3858
Published: 2026-05-27

References

https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-g3vg-vx23-3858
https://github.com/oscal-compass/compliance-trestle/commit/89f4e53d159e8ff901da4d7c3b51c9556bd32ec0
https://github.com/oscal-compass/compliance-trestle/commit/9abc492329fcc8d0557182317de9bde854385da3

Related advisories

CVE-2026-46439 — high · PyPI/compliance-trestle
CVE-2026-46345 — high · PyPI/compliance-trestle
CVE-2026-46380 — medium · PyPI/compliance-trestle
CVE-2026-45774 — medium · PyPI/compliance-trestle

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.