CVE-2026-8643

EUVD-2026-33682
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
pypapip
𝑥
< 26.1.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
Red HatRed Hat Enterprise Linux 10
0:25.2-3.el10_2.5 ≤
𝑥
< *
ADP
Red HatRed Hat Enterprise Linux 9
0:25.2-3.el9_8.5 ≤
𝑥
< *
ADP
Red HatRed Hat Ansible Automation Platform 2.6
1782711769 ≤
𝑥
< *
ADP
Red HatRed Hat Ansible Automation Platform 2.6
1782713671 ≤
𝑥
< *
ADP
Red HatRed Hat Ansible Automation Platform 2.6
1782761510 ≤
𝑥
< *
ADP
Red HatRed Hat Discovery 2
1782763840 ≤
𝑥
< *
ADP
Red HatRed Hat Hardened Images
26.1.1-3.1.hum1 ≤
𝑥
< *
ADP
Red HatRed Hat Hardened Images
26.1.2-1.hum1 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.0
1782929133 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.0
1782928984 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.0
1782968171 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.0
1782929069 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.0
1782928977 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.2
1782915416 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.2
1782915184 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.2
1782914833 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.2
1782914721 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.2
1782914751 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.2
1782914629 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782915056 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782916020 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782914960 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782914644 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782914706 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782915015 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782914779 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782914653 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1783010225 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782887848 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782471555 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782471579 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1783073038 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782991170 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782471656 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782471663 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1783069204 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782991170 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782133213 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782726504 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782135464 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782136276 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782135346 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132167 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132207 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132237 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132240 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132286 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132236 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132163 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132297 ≤
𝑥
< *
ADP
Red HatRed Hat Trusted Artifact Signer 1.4
1782485441 ≤
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
python-pip
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
26.1.2+dfsg-1
fixed
sid
26.1.2+dfsg-1
fixed
trixie
no-dsa
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
python3.14-pip
RHEL 9
0:25.2-3.el9_8.5
fixed
python3.14-pip-wheel
RHEL 9
0:25.2-3.el9_8.5
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
python-pip-wheel
Amazon Linux 2
0:20.2.2-1.amzn2.0.18
fixed
python2-pip
Amazon Linux 2
0:20.2.2-1.amzn2.0.18
fixed
python3-pip
Amazon Linux 2
0:20.2.2-1.amzn2.0.18
fixed
Amazon Linux 2023
0:21.3.1-2.amzn2023.0.20
fixed
python3-pip-wheel
Amazon Linux 2023
0:21.3.1-2.amzn2023.0.20
fixed
python3.11-pip
Amazon Linux 2023
0:22.3.1-2.amzn2023.0.13
fixed
python3.11-pip-wheel
Amazon Linux 2023
0:22.3.1-2.amzn2023.0.13
fixed
python3.12-pip
Amazon Linux 2023
0:23.2.1-4.amzn2023.0.10
fixed
python3.12-pip-wheel
Amazon Linux 2023
0:23.2.1-4.amzn2023.0.10
fixed
python3.13-pip
Amazon Linux 2023
0:24.2-259.amzn2023.0.7
fixed
python3.13-pip-wheel
Amazon Linux 2023
0:24.2-259.amzn2023.0.7
fixed
python3.14-pip
Amazon Linux 2023
0:26.1.1-1.amzn2023.0.2
fixed
python3.14-pip-wheel
Amazon Linux 2023
0:26.1.1-1.amzn2023.0.2
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
python-pip
Azure Linux 3.0
0:24.2-9.azl3
fixed
python-virtualenv
Azure Linux 3.0
0:20.36.1-5.azl3
fixed
References