Home

Description

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

PUBLISHED Reserved 2026-05-14 | Published 2026-06-01 | Updated 2026-06-02 | Assigner PSF




MEDIUM: 4.1CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Product status

Default status
unaffected

Any version before 26.1.2
affected

Credits

Lumír Balhar reporter

Damian Shaw (https://github.com/notatallshaw) remediation developer

Gregory P. Smith (https://github.com/gpshead) remediation reviewer

Jannis Leidel (https://github.com/jezdez) remediation reviewer

Pradyun Gedam (https://github.com/pradyunsg) remediation reviewer

Paul Moore (https://github.com/pfmoore) remediation reviewer

References

www.openwall.com/lists/oss-security/2026/06/01/5

github.com/pypa/pip/pull/14000 patch

mail.python.org/.../thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/ vendor-advisory

cve.org (CVE-2026-8643)

nvd.nist.gov (CVE-2026-8643)

Download JSON