https://www.cve.org/CVERecord?id=CVE-2026-8643 currently lists
the affected versions as "affected from 0 before 26.1.2".
-------- Forwarded Message --------
Subject: [Security-announce][CVE-2026-8643] pip can extract console_scripts and
gui_scripts outside installation directory
Date: Mon, 1 Jun 2026 15:03:45 +0000
From: Seth Larson <[email protected]>
Reply-To: [email protected]
To: [email protected]
There is a MEDIUM severity vulnerability affecting pip.
pip would treat console_scripts and gui_scripts as paths instead of file names
without sanitizing the resolved absolute path to the installation directory,
leading to entry points being installed outside the installation directory.
Please see the linked CVE ID for the latest information on affected versions:
* https://www.cve.org/CVERecord?id=CVE-2026-8643
* https://github.com/pypa/pip/pull/14000
_______________________________________________
Security-announce mailing list -- [email protected]
https://mail.python.org/mailman3//lists/security-announce.python.org
