PT-2026-45480 · Pypi · Pip

Damian Shaw

Published

2026-05-28

Updated

2026-06-05

CVE-2026-8643

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions pip (affected versions not specified)

Description pip fails to sanitize the resolved absolute path to the installation directory when treating console scripts and gui scripts as paths rather than file names. This allows entry points to be installed outside the intended installation directory.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-8643

ECHO-E120-768D-97D2

OESA-2026-2544

OPENSUSE-SU-2026:10940-1

PYSEC-2026-196

Affected Products

Pip

PT-2026-45480 · Pypi · Pip

CVE-2026-8643

Weakness Enumeration

Related Identifiers

Affected Products

References · 21