CVE-2026-8643— pip can extract console_scripts and gui_scripts outside installation directory

AI Predicted 6.5 Difficulty: Hard Updated Jun 02, 2026

Possible ATT&CK Techniques 2AI

T1059 · Command and Scripting Interpreter T1105 · Ingress Tool Transfer

Affected Version Matrix 1

Vendor	Product	Version Range	Status
Python Packaging Authority	pip	`< 26.1.2`	affected

Updated Jun 02, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-8643

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

pip can extract console_scripts and gui_scripts outside installation directory

Source: NVD (National Vulnerability Database)

Vulnerability Description

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

pip 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

pip是Python Packaging Authority开源的一个Python包安装程序。 pip存在安全漏洞，该漏洞源于安装恶意Python wheel时，特制入口点名称使用目录遍历或绝对路径，可能导致任意文件覆盖。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Python Packaging Authority	pip	0 ~ 26.1.2	-

II. Public POCs for CVE-2026-8643

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-8643

请登录查看更多情报信息。

Patches & Fixes for CVE-2026-8643 (1)

🔗 Reject entry point names that escape scripts dir by notatallshaw · Pull Request #14000 · pypa/pip · GitHub Read full article patch

Mailing List Discussions for CVE-2026-8643 (1)

🔗 Mailman 3 [CVE-2026-8643] pip can extract console_scripts and gui_scripts outside installation directory - Security-announce - python.orgvendor-advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-8643

IV. Related Vulnerabilities

Same product: pip

Same vendor: Python Packaging Authority

V. Comments for CVE-2026-8643

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-8643— pip can extract console_scripts and gui_scripts outside installation directory

Possible ATT&CK Techniques 2AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-8643

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-8643

III. Intelligence Information for CVE-2026-8643

Patches & Fixes for CVE-2026-8643 (1)

Mailing List Discussions for CVE-2026-8643 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-8643

Leave a comment