SCA: security update for briefcase (GHSA-r3r2-35v9-v238)

high Tenable Cloud Security Plugin ID 439108

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Briefcase is a tool for converting a Python project into a standalone native application. Starting in
version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI
installer for a project, and that project is installed for All Users (i.e., per-machine scope), the
installation process creates an directory that inherits all the permissions of the parent directory.
Depending on the location chosen by the installing user, this may allow a low privilege but authenticated
user to replace or modify the binaries installed by the application. If an administrator then runs the
altered binary, the binary will run with elevated privileges. The problem is caused by the template used
to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26,
0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated
templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file
generated by Briefcase 0.3.24 or later. (CVE-2026-33430)

Solution

Update the briefcase library and its related packages to version 0.3.26 or later.

See Also

https://github.com/advisories/GHSA-r3r2-35v9-v238

Plugin Details

Severity: High

ID: 439108

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/24/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33430

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2026

Vulnerability Publication Date: 3/23/2026

Reference Information

CVE: CVE-2026-33430

cwe: CWE-732