CVE-2026-3219

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-3219
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-3219.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-3219
Aliases
Downstream
Related
Published
2026-04-20T14:55:38.282Z
Modified
2026-06-18T03:56:18.277654911Z
Severity
  • 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
pip doesn't reject concatenated ZIP and tar archives
Details

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Database specific 
{
    "cna_assigner": "PSF",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3219.json"
}
References

Affected packages

Git / github.com/pypa/pip

Affected ranges

Type
GIT
Repo
https://github.com/pypa/pip
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
90b2b3e0f7ef75c485155716d904e51654575803
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.3
0.6
0.7
0.7.1
0.8
0.8.2
0.8.3
1.*
1.0
1.2
1.4rc1
1.4rc2
10.*
10.0.0
10.0.1
18.*
18.0
18.1
19.*
19.0
19.0.2
19.1.1
20.*
20.0.2
21.*
21.0
21.3
26.*
26.0
6.*
6.0
9.*
9.0.0
9.0.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-3219.json"