diff --git a/devel/py-installer/Makefile b/devel/py-installer/Makefile
index 3de6a1a55d89..4bd4a88a9de0 100644
--- a/devel/py-installer/Makefile
+++ b/devel/py-installer/Makefile
@@ -1,25 +1,26 @@
 PORTNAME=	installer
 PORTVERSION=	1.0.0
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
 MAINTAINER=	sunpoet@FreeBSD.org
 COMMENT=	Library for installing Python wheels
 WWW=		https://installer.pypa.io/en/stable/ \
 		https://github.com/pypa/installer
 
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 USES=		python
 USE_PYTHON=	allflavors autoplist concurrent pep517
 
 MAKE_ENV=	PYTHONPATH=${WRKSRC}/src
 NO_ARCH=	yes
 
 PEP517_BUILD_CMD=	${PYTHON_CMD} -m flit_core.wheel
 PEP517_BUILD_DEPEND=	${PYTHON_PKGNAMEPREFIX}flit-core>=3.11<4:devel/py-flit-core@${PY_FLAVOR}
 PEP517_INSTALL_DEPEND=	# empty
 
 .include <bsd.port.mk>
diff --git a/devel/py-installer/files/patch-src_installer_destinations.py b/devel/py-installer/files/patch-src_installer_destinations.py
new file mode 100644
index 000000000000..1079affcaa6c
--- /dev/null
+++ b/devel/py-installer/files/patch-src_installer_destinations.py
@@ -0,0 +1,28 @@
+Combination of https://github.com/pypa/installer/commit/8b72cf945bfa and
+https://github.com/pypa/installer/commit/b5f03f151f0e.
+See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294631 and
+https://github.com/pypa/installer/issues/325.
+
+--- src/installer/destinations.py.orig	2026-03-28 15:38:56 UTC
++++ src/installer/destinations.py
+@@ -136,8 +136,18 @@ class SchemeDictionaryDestination(WheelDestination):
+     """Silently overwrite existing files."""
+ 
+     def _path_with_destdir(self, scheme: Scheme, path: str) -> Path:
+-        target_dir = Path(self.scheme_dict[scheme]).resolve()
+-        file = (target_dir / path).resolve()
++        # See https://docs.python.org/3/library/zipfile.html#zipfile.Path:
++        #  When handling untrusted archives,
++        #  consider resolving filenames using os.path.abspath()
++        #  and checking against the target directory with os.path.commonpath().
++        #
++        # Attention: Path.absolute() is not sufficient because it does not
++        #  normalize, i.e. does not remove "..".
++        #
++        # We want to avoid Path.resolve() because it is significantly slower
++        # than os.path.abspath()!
++        target_dir = Path(os.path.abspath(self.scheme_dict[scheme]))  # noqa: PTH100
++        file = Path(os.path.abspath(target_dir / path))  # noqa: PTH100
+ 
+         if not file.is_relative_to(target_dir):
+             raise ValueError(