CVE-2026-8643

UNKNOWN 0.0

pip can extract console_scripts and gui_scripts outside installation directory

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

2th

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Vendor	python packaging authority
Product	pip
Published	Jun 1, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for python packaging authority pip

Be the first to know when new unknown vulnerabilities affecting python packaging authority pip are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Packaging Authority / pip

0 < 26.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pypa/pip/pull/14000 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/ openwall.com: http://www.openwall.com/lists/oss-security/2026/06/01/5

Credits

🔍 Lumír Balhar Damian Shaw (https://github.com/notatallshaw) Gregory P. Smith (https://github.com/gpshead) Jannis Leidel (https://github.com/jezdez) Pradyun Gedam (https://github.com/pradyunsg) Paul Moore (https://github.com/pfmoore)