pip doesn’t reject concatenated ZIP and tar archives_CVE-2026-3219

4.6 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Basic Information

ID CVE-2026-3219

Source PSF

Published Apr 20, 2026 at 14:55

Modified Apr 20, 2026 at 16:15

Affected Product

Vendor Python Packaging Authority

Product pip

Affected Versions Python Packaging Authority pip 0

CWE Classification

CWE-434

References

{
    "lastseen": "",
    "description": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.",
    "published": "2026-04-20T14:55:38.282Z",
    "modified": "2026-04-20T16:15:12.102Z",
    "type": "cve",
    "title": "pip doesn't reject concatenated ZIP and tar archives",
    "source": "PSF",
    "references": "https://github.com/pypa/pip/pull/13870\nhttps://mail.python.org/archives/list/[email protected]/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/",
    "id": "CVE-2026-3219",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "Python Packaging Authority pip 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pip",
    "version": "0",
    "vendor": "Python Packaging Authority",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}