CVE•Published 2026-04-20•Modified 2026-04-27•0 articles on news•7 live references•NVD data

CVE-2026-28684Saurabh-kumar · Python-dotenv

Vulnerability data via NVD (ingested)

CVSS v3.1

6.6

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

EPSS percentile

Exploit Prediction Scoring System · top 96% of all CVEs

Weaknesses (CWE)

CWE-59Improper Link Resolution Before File Access ('Link Following')CWE-61UNIX Symbolic Link (Symlink) Following

Description

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.

Timeline

Published 2026-04-20

Modified 2026-04-27

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-28684

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Saurabh-kumar Python-dotenv"

All exposed Saurabh-kumar Python-dotenv instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Python-dotenv"

HTTP body or banner mentions "Python-dotenv" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-28684