CVE-2026-8643

MEDIUM

pip can extract console_scripts and gui_scripts outside installation directory

Title source: cna

Description

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

References (3)

Core 3

Core References

Patch patch

https://github.com/pypa/pip/pull/14000

Vendor Advisory vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/01/5

Scores

CVSS v3 5.5

EPSS 0.0016

EPSS Percentile 6.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

pypa/pip < 26.1.2

Python Packaging Authority/pip < 26.1.2

Published Jun 01, 2026

Tracked Since Jun 01, 2026