[Security-announce][CVE-2026-3479] pkgutil.get_data does not enforce documented restrictions

There is a LOW severity vulnerability affecting CPython.

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Please see the linked CVE ID for the latest information on affected versions:

• https://www.cve.org/CVERecord?id=CVE-2026-3479
• https://github.com/python/cpython/pull/146122