CVE-2026-3219

UNKNOWN 0.0

pip doesn't reject concatenated ZIP and tar archives

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Vendor	python packaging authority
Product	pip
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for python packaging authority pip

Be the first to know when new unknown vulnerabilities affecting python packaging authority pip are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Packaging Authority / pip

0 < 26.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pypa/pip/pull/13870 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/