CVE-2026-8643
- Source
- https://cve.org/CVERecord?id=CVE-2026-8643
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-8643.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-8643
- Aliases
- Downstream
- Related
- Published
- 2026-06-01T15:01:32.143Z
- Modified
- 2026-06-15T12:24:34.077628365Z
- Severity
-
- 4.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- pip can extract console_scripts and gui_scripts outside installation directory
- Details
-
pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8643.json", "cna_assigner": "PSF" }- References
-
- http://www.openwall.com/lists/oss-security/2026/06/01/5
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8643.json
- https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/
- https://nvd.nist.gov/vuln/detail/CVE-2026-8643
- https://github.com/pypa/pip/pull/14000
- https://github.com/pypa/pip
- https://pypi.org/project/pip
Affected packages
Git / github.com/pypa/pip
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pypa/pip
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "extracted_events": [ { "introduced": "0" }, { "fixed": "26.1.2" }, { "introduced": "0" }, { "fixed": "26.1.2" } ], "cpe": "cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*", "source": [ "AFFECTED_FIELD", "CPE_RANGE" ] }