Path Traversal Vulnerability in Pip for Python by PyPa
CVE-2026-8643

4.1MEDIUM

Key Information:

Vendor: Python Packaging Authority
Status: Pip
Vendor: CVE Published:; 1 June 2026

🔔 Create Python Packaging Authority Vulnerability Alert

What is CVE-2026-8643?

The Pip package manager for Python contains a vulnerability that improperly handles console_scripts and gui_scripts as file paths instead of filenames. This flaw overlooks necessary sanitization of the resolved absolute path to the installation directory, leading to potential installation of entry points outside the designated directory. This issue can result in a compromise of system integrity by allowing files to be executed in unintended locations.

Affected Version(s)

pip 0 < 26.1.2

References

https://github.com/pypa/pip/pull/14000

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V4

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 14, 2026

Credit

Lumír Balhar

Damian Shaw (https://github.com/notatallshaw)

Gregory P. Smith (https://github.com/gpshead)

Jannis Leidel (https://github.com/jezdez)

Pradyun Gedam (https://github.com/pradyunsg)

Paul Moore (https://github.com/pfmoore)

CVE-2026-8643 Data

JSON