Damian Shaw

**Name of the Vulnerable Software and Affected Versions** pip (affected versions not specified) **Description** pip fails to sanitize the resolved absolute path to the installation directory when treating `console scripts` and `gui scripts` as paths rather than file names. This allows entry points to be installed outside the intended installation directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pip versions prior to 26.1 **Description** The self-update check functionality runs after installing wheel files, which requires importing well-known Python module names. These imports were deferred to improve the startup time of the pip CLI. This behavior allows newly installed modules to be imported shortly after the installation of a wheel package. **Recommendations** Update to version 26.1 or later. Review package contents prior to installation.