Medium severityNVD Advisory· Published Apr 20, 2026· Updated Apr 20, 2026
CVE-2026-3219
CVE-2026-3219
Description
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pipPyPI | <= 26.0.1 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-58qw-9mgm-455vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3219ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/04/20/8nvdWEB
- github.com/pypa/pip/pull/13870nvdWEB
- mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJghsaWEB
- mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/nvd
News mentions
0No linked articles in our index yet.