8

CVE-2026-8643

pip can extract console_scripts and gui_scripts outside installation directory

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PypaPip Version < 26.1.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.32% 0.238
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
cna@python.org 4.1 0 0
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8 2.1 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/pypa/pip/pull/14000
Patch
Issue Tracking
http://www.openwall.com/lists/oss-security/2026/06/01/5
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=2460927
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8643.json
https://access.redhat.com/errata/RHSA-2026:34374
https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/
Vendor Advisory
Mailing List
https://access.redhat.com/errata/RHSA-2026:33313
https://access.redhat.com/errata/RHSA-2026:34456
https://access.redhat.com/errata/RHSA-2026:34739
https://access.redhat.com/errata/RHSA-2026:34740
https://access.redhat.com/errata/RHSA-2026:34741
https://access.redhat.com/errata/RHSA-2026:34748
https://access.redhat.com/errata/RHSA-2026:34749
https://access.redhat.com/errata/RHSA-2026:34750
https://access.redhat.com/errata/RHSA-2026:34752
https://access.redhat.com/errata/RHSA-2026:34756
https://access.redhat.com/errata/RHSA-2026:34758
https://access.redhat.com/errata/RHSA-2026:34760
https://access.redhat.com/errata/RHSA-2026:34765
https://access.redhat.com/errata/RHSA-2026:34772
https://access.redhat.com/errata/RHSA-2026:34773
https://access.redhat.com/errata/RHSA-2026:34774
https://access.redhat.com/errata/RHSA-2026:34775
https://access.redhat.com/errata/RHSA-2026:34776
https://access.redhat.com/errata/RHSA-2026:34777
https://access.redhat.com/errata/RHSA-2026:34778
https://access.redhat.com/errata/RHSA-2026:34780
https://access.redhat.com/errata/RHSA-2026:34891
https://access.redhat.com/errata/RHSA-2026:36193
https://access.redhat.com/security/cve/CVE-2026-8643
https://access.redhat.com/errata/RHSA-2026:36315