CVE-2026-8643

Summary

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Affected Software

VendorProductVersion RangeStatus
Python Packaging Authoritypip24.0 < 26.1.2affected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite

Additional References

References