CVE-2026-8643

pip can extract console_scripts and gui_scripts outside installation directory

Published: 6/1/2026 Last updated: 6/2/2026 Reserved: 5/14/2026

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

CNA assigner: PSF (28c92f92-d60d-412d-b760-e73465c3df22) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	4.1	Medium	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Opam packages affected (1)

catala

Products affected (2)

Product	Vendor	Version
pip	Python Packaging Authority	< publication
pip	Python Packaging Authority	3.5 on Windows 8.1 for x64-based systems

References (6)

Credits (12)

2 Lumír Balhar
5 Damian Shaw (https://github.com/notatallshaw)
6 Gregory P. Smith (https://github.com/gpshead)
6 Jannis Leidel (https://github.com/jezdez)
6 Pradyun Gedam (https://github.com/pradyunsg)
6 Paul Moore (https://github.com/pfmoore)
2 Lumír Balhar
5 Damian Shaw (https://github.com/notatallshaw)
6 Gregory P. Smith (https://github.com/gpshead)
6 Jannis Leidel (https://github.com/jezdez)
6 Pradyun Gedam (https://github.com/pradyunsg)
6 Paul Moore (https://github.com/pfmoore)