Medium severity5.5NVD Advisory· Published Jun 1, 2026· Updated Jun 4, 2026
CVE-2026-8643
CVE-2026-8643
Description
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6- Package: https://pypi.org/project/pip
- osv-coords3 versionspkg:rpm/almalinux/python3.14-pippkg:rpm/almalinux/python3.14-pip-wheelpkg:rpm/opensuse/python-pip&distro=openSUSE%20Tumbleweed
< 25.2-3.el10_2.5+ 2 more
- (no CPE)range: < 25.2-3.el10_2.5
- (no CPE)range: < 25.2-3.el10_2.5
- (no CPE)range: < 26.1.2-1.1
Patches
Vulnerability mechanics
References
3- github.com/pypa/pip/pull/14000nvdIssue TrackingPatch
- www.openwall.com/lists/oss-security/2026/06/01/5nvdMailing ListThird Party Advisory
- mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/nvdMailing ListVendor Advisory
News mentions
0No linked articles in our index yet.