๐Ÿ” CVE Alert

CVE-2026-59890

MEDIUM 6.1

setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+

CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

CWE CWE-176 CWE-697
Vendor pypa
Product setuptools
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for pypa setuptools

Be the first to know when new medium vulnerabilities affecting pypa setuptools are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Affected Versions

pypa / setuptools
< 83.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c github.com: https://github.com/pypa/setuptools/commit/dd9f436a36486b4cb8a4c70a2321548b0be09b8f github.com: https://github.com/pypa/setuptools/releases/tag/v83.0.0