pip can extract console_scripts and gui_scripts outside installation directory

4.1 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Basic Information

ID CVE-2026-8643

Source PSF

Published Jun 1, 2026 at 15:01

Modified Jun 1, 2026 at 15:07

Affected Product

Vendor Python Packaging Authority

Product pip

Affected Versions Python Packaging Authority pip 0

References

{
    "lastseen": "",
    "description": "pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.",
    "published": "2026-06-01T15:01:32.143Z",
    "modified": "2026-06-01T15:07:38.157Z",
    "type": "cve",
    "title": "pip can extract console_scripts and gui_scripts outside installation directory",
    "source": "PSF",
    "references": "https://github.com/pypa/pip/pull/14000\nhttps://mail.python.org/archives/list/[email protected]/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/",
    "id": "CVE-2026-8643",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Python Packaging Authority pip 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pip",
    "version": "0",
    "vendor": "Python Packaging Authority",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

pip can extract console_scripts and gui_scripts outside installation directory_CVE-2026-8643

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply